Manage My Health Limited’s (MMH) recent cyber incident is continuing to have operational and regulatory consequences across New Zealand’s health and insurance sectors, with the online health portal warning of impersonation and phishing attempts targeting patients. The company, which operates an online patient portal used by general practices, said most individuals whose information was affected have been contacted. It also warned that criminal actors may attempt to exploit the incident by posing as the provider in email or other electronic communications.
“We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It said it is considering additional controls to limit this activity and has published guidance to help users recognise suspicious approaches. The cyberattack, detected late last year, involved unauthorised access to documents stored in a specific component of the portal rather than in general practice clinical systems. Offenders reportedly demanded a ransom and threatened to publish health-related documents on dark web platforms. If released, the material could expose medical information for more than 120,000 people in New Zealand, including correspondence and clinical summaries.
MMH said general practice clinical systems, prescribing, appointment scheduling, secure messaging, and real-time medical records were not compromised. According to the company, the intrusion was confined to the “My Health Documents” function. That function contains files uploaded by patients, such as letters, diagnostic reports, and test results, along with some clinical documents made available to patients. These include hospital discharge summaries and clinical letters relating to care in the Northland Te Tai Tokerau region.
After identifying unusual activity, the company said it disabled the affected feature, blocked further unauthorised access, and activated its incident response processes. External cybersecurity specialists were engaged to determine the extent of the intrusion and carry out forensic analysis. The company said testing found that the specific vulnerability involved in the incident is no longer present. MMH said it has reset or remediated compromised credentials, temporarily suspended access to the Health Documents module, and introduced continuous monitoring while it implements broader security changes. The forensic investigation remains under way, and the company has not released detailed technical findings.
Initial notification efforts resulted in some individuals being told they might be affected before their involvement could be confirmed. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” the organisation said. It said this approach meant some early recipients of notifications were later advised that their information had not been accessed once forensic work clarified the dataset. Patients can check their status by logging into the Manage My Health web application. Those whose data was not impacted see a green “No Impact” banner on screen. The company said notification activity is continuing, given the need to coordinate with general practices, health agencies, and other data controllers while meeting obligations under the New Zealand Privacy Act.
The Office of the Privacy Commissioner (OPC) has begun an inquiry into the breach and its privacy implications. The inquiry is being conducted under section 17(1)(i) of the Privacy Act, which the OPC uses for investigations involving public interest privacy issues. “Given the scale of the incident, the sensitivity of the information and some of the systemic issues being identified, it’s clear to me we need to investigate the privacy issues involved. New Zealanders rightly expect any agency collecting, holding, using, or storing their sensitive health information to maintain high standards of privacy and data protection. Our inquiry will help determine whether appropriate security safeguards were in place and if not, why not. We will also look at what steps will be taken to prevent such an incident happening again,” Privacy Commissioner Michael Webster said. The OPC is consulting with relevant organisations on draft terms of reference and expects to publish them on Jan. 28.
MMH has obtained an interim injunction from the High Court that restricts any third party from accessing, publishing, or sharing data involved in the incident. The company said it is monitoring known data leak and extortion websites and will seek takedowns if any related material appears online. The organisation is working with Health New Zealand | Te Whatu Ora, the National Cyber Security Centre (NCSC), and New Zealand Police. Individuals contacted by anyone claiming to hold their health information are being advised not to respond, and instead to report the interaction to Police via 105, or 111 in an emergency, and to notify Manage My Health support. For insurers, brokers, and risk managers, the incident highlights exposure linked to patient portals and other repositories that sit alongside core health systems. Concentrated stores of discharge summaries, clinical letters, and investigation results can create aggregation risk for cyber and privacy-related claims and may influence future risk assessments of health sector data environments.
MMH has said it will not ask users to disclose passwords or one-time security codes and has urged caution with unexpected messages that claim to be from the company, particularly where urgent action is requested. The company has partnered with IDCARE, a cyber and identity support service operating in Australia and New Zealand, for individuals concerned about potential identity misuse, fraud, impersonation, or social engineering based on their information.
“We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” MMH said, adding that it would provide further updates as the investigation and regulatory processes continue. For health and life insurers, the incident may prompt reviews of cyber underwriting approaches for healthcare providers and digital health vendors, including their controls over document-sharing features and patient-facing portals. Claims teams may also field queries from policyholders about identity compromise, targeted scams using health information, and the implications of data exposure for existing cover, renewals, and claims handling.
