A cyber incident at New Zealand medication management platform MediMap has disrupted medication administration in aged care, and increased insurer attention on health data integrity.
MediMap – a real-time electronic charting platform used in aged care, disability, hospice, and community health – remains offline after “unauthorised activity” led to patient demographic data being changed inside the system. The outage has prompted many facilities to revert to manual processes and raised questions about how cyber controls are implemented in clinical workflow tools that operate alongside core hospital and practice systems but are used in routine care. In a public statement, MediMap director Geoffrey Sayer said the company had identified “unauthorised activity” that resulted in “some patients’ demographic records being incorrectly modified within the MediMap platform.”
“As soon as we became aware of the issue, we engaged specialist external cyber experts and placed the platform into maintenance mode as a precautionary measure to protect patient safety. Our focus is on helping facilities to provide continuation of care, and then on remediation and safe restoration,” Sayer said, as reported by Stuff. MediMap information states the platform supports more than 2,000 GPs, over 340 facilities, and more than 350 pharmacies nationwide, indicating broad use across the health system and potential aggregation points for cyber and privacy claims. The company’s initial investigation indicates that demographic fields such as name, date of birth, assigned prescriber, site of care, and resident status have been affected. Clinical details and medication orders have not been publicly confirmed as compromised, but the system unavailability has affected medication rounds.
Front-line accounts suggest that the incident has gone beyond minor data anomalies. A registered nurse at an aged care home, who asked not to be identified, said their facility had discovered that live residents had been marked as dead and that some names and ages were altered. “When I searched for one of the missing patients using their NHI number, I located the profile and observed that the patient had been incorrectly marked as deceased,” the nurse told Stuff. They contacted support after the first case, then identified more changes across the resident list. “More patients were marked as deceased, names appeared to have been changed to Charlie Kirk, ages were altered, and some patients were assigned to different facilities,” the nurse said.
Up to 20 of the home’s 60 residents had records changed, according to the nurse. As records disappeared or were replaced, staff faced uncertainty over which medicines to administer on the evening round. “We just kept losing more patients from the screen. And so, I started panicking because it was nearly tea time and medications were not going to be given. That is when I felt the magnitude of this – I realised the meds were not going out at that time, and all that information and their charts had been changed and I didn’t know how long it would be until they were restored,” the nurse said. They added that the disruption covered medicines for conditions such as hypertension, heart disease, and diabetes, as well as medications for residents with cognitive issues and a history of falls. The facility moved to a paper-based charting process, which the nurse said was time-consuming.
Access to MediMap at the facility required both an organisation-level login and an individual credential, the nurse said, but did not include two-factor authentication. Another provider told media that multiple patients in their facility had also been marked as deceased and renamed “Charlie Kirk,” commenting: “This is much more than just ‘incorrect modification’.” Cybersecurity practitioners contacted by local media said digital forensics and incident response teams had been engaged to determine how the incident occurred and whether data was exfiltrated. One specialist compared the platform’s controls to other patient portals and raised concerns about the level of protection applied to sensitive health information.
Police, Health New Zealand, and the Office of the Privacy Commissioner have been notified. People attempting to log in this week have continued to see a holding page stating that “MediMap is currently unavailable.” For health, cyber, and professional indemnity insurers, the case illustrates how compromise of a single medication management tool can create a range of issues: interruptions to care processes, potential patient safety incidents, privacy impacts, emergency return to manual workarounds, and costs associated with forensic work and remediation.
The MediMap incident follows earlier disclosures from Canopy Healthcare about a separate cyber event and comes against a wider backdrop of scrutiny of notification timing under New Zealand’s privacy and cyber frameworks. Canopy Healthcare – which owns diagnostic and oncology providers including Canopy Imaging (formerly TRG Imaging), Absolutely Radiology, Canopy Cancer Care, and Auckland Breast Centre – wrote to patients in January 2026 about a cyber incident first identified on July 18, 2025.
According to its notification, “an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team.” Canopy told patients that core clinical systems and electronic health records remained online and that “all our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments, and medical records were not affected.” The data that may have been accessed included names, contact details, and referral information.
Canopy notified New Zealand Police and the Office of the Privacy Commissioner and obtained an urgent High Court injunction to restrict any use or publication of data that might have been taken. As a private provider, it is not regulated by the Ministry of Health but must comply with the Privacy Act 2020 and the Health Information Privacy Code. The six-month gap between detection and patient notification has drawn questions from at least one patient and may be examined by insurers when reviewing compliance with policy conditions on prompt notice of circumstances and regulatory engagement. “I’m feeling really let down because it's taken six months for Canopy to let us know...” the patient told Stuff, noting concern about differences between the patient email and online FAQ.
In its email, Canopy told patients there was “no indication that any credit card, banking information, or identity documents were affected.” On its website, however, the company states: “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.” For underwriters and brokers, the alignment of email messaging and web-based FAQs, and the handling of partial banking data exposure, are likely to be relevant in assessing governance standards, duty-of-disclosure issues, and potential class or representative action exposure.
The Canopy disclosure follows a ransomware incident at Manage My Health (MMH), a GP patient portal used by practices across New Zealand. In late December 2025, MMH reported that attackers had gained unauthorised access to its New Zealand application and health information, targeting the platform on Dec. 30 and accessing personal health documents for about 120,000 people. The threat actors reportedly demanded US$60,000 (about NZ$104,000) and began publishing data on the dark web, stating they would release “everything they have” if payment was not received within 48 hours.
MMH has said it has contacted most individuals whose information was affected and warned that others may attempt to exploit the incident by posing as the company. “We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said. It has said that additional controls are under consideration and provided guidance to users on identifying suspicious approaches. The compromise related to a specific document storage component of the portal rather than general practice clinical systems. If fully released, the data set could expose medical correspondence and clinical summaries for more than 120,000 New Zealanders.
Taken together, the MediMap, Canopy, and MMH incidents point to a concentration of cyber and privacy risk in health-sector platforms that aggregate demographic and clinical data across multiple providers. For insurers, brokers, and risk advisers, recent events are likely to lead to closer examination of:
As investigations into the MediMap incident continue, market participants are monitoring how providers manage restoration, patient communication, and regulatory interaction, and how those responses may influence future cyber cover, pricing, and conditions in the local insurance market.
