The shortcomings of hacked prescription portal MediMap are likely to be examined as part of a government-commissioned review into a separate patient portal breach.
MediMap was taken offline on Feb 22 after patient information was found to have been altered in a cyberattack. As of March 4, the portal was being brought back online.
In a statement, MediMap said it had “rebuilt a secure production environment, completed a forensic review and validation of our data, identified the specific demographic records that were altered, and strengthened authentication controls, supported by independent cyber security specialists.”
The company said all user passwords would be reset, and any medication changes made manually during the outage would require clinical review. It acknowledged the “patience and professionalism” of healthcare staff who managed manual processes during the disruption, and apologised to “residents, patients, families and healthcare providers for any disruption and distress.” A court injunction was granted prohibiting anyone from accessing, using, copying, sharing or publishing any of the affected data.
Health minister Simeon Brown commissioned the Ministry of Health to conduct a broader review into the MMH incident. A spokesperson for the minister’s office told RNZ that while MediMap would not be explicitly named in the review, the systemic issues that led to the breach would likely apply to both platforms.
“The Ministry of Health’s review into the Manage My Health (MMH) cyber security incident is considering the broader issue of how private companies secure health data,” the spokesperson said.
A Ministry of Health spokesperson said the review aimed to understand the causes of the MMH breach and recommend improvements to better prevent future data breaches. “While our focus remains on Manage My Health, the learnings will apply more broadly to other digital platforms which manage health data,” the spokesperson said.
Prime minister Christopher Luxon told media last week that Cabinet had signed off on a new cyber security policy and strategy and warned businesses about lax security practices.
“The Kiwi laid-backness in a cyber security world where there are real risks and challenges is not good enough. You need to be investing and making sure that your systems and your protocols are up to speed, and are actually on-point, and that they continually evolve,” Luxon said.
He said the government would consult on the issue in the coming months and consider incentives and penalties.
Last week, MMH began notifying a further group of patients affected by the December attack.
The MediMap breach followed a hack of the patient portal Manage My Health (MMH) in late December 2025, which RNZ described as one of the biggest privacy breaches in New Zealand history. MMH became aware of the incident on Dec. 30, after a partner flagged the issue, and confirmed it publicly the following day.
Independent forensic specialists determined that a cybercriminal using the alias “Kazu” had accessed and downloaded documents from the “My Health Documents” section of the platform. The stolen files included correspondence, medical reports, and test results. MMH estimated that between 6% and 7% of its approximately 1.8 million registered users – roughly 108,000 to 126,000 people – may have been affected. A substantial number of those impacted were linked to general practices in Northland.
Kazu posted about the attack on a cybercrime forum on Dec. 30, claiming more than 400,000 files had been taken and demanding a US$60,000 ransom, threatening to put the data up for sale if MMH did not pay by Jan. 15. In early January, further messages circulated via Telegram repeating threats to release the material. New Zealand’s official position, in line with its Western geopolitical allies, is not to pay ransoms.
On Jan. 1, 2026, the Office of the Privacy Commissioner was notified of the breach and subsequently published guidance for affected patients. MMH set up a dedicated 0800 helpline for confirmed affected patients, and general practices were notified ahead of patients to allow GPs to prepare for enquiries.
In a statement on Jan. 5, MMH apologised for delays in communication, saying its priority had been to secure patient data before making public disclosures. “We acknowledge we could have done a better job at communication,” the company said, adding there were “constraints, both legal and practical,” affecting the timing of information releases.
