Digital medicines platform MediMap is seeking urgent court orders in New Zealand after an individual claiming to be behind a cyber incident circulated what appears to be patient information to news organisations – an incident that is drawing attention to cyber risk, privacy exposure, and the role of cyber insurance across the health and aged-care sector.
The incident, first identified on Feb. 22, has led MediMap to keep its system offline while it investigates how the platform was accessed and what data was altered or obtained. The company’s system is widely used by aged-care, disability, hospice, and community health providers to support prescribing, dispensing, and medication administration – making the disruption and potential liability exposure a point of focus for insurers and brokers active in health and long-term care.
MediMap said it is moving to obtain an injunction that would bar any party from accessing, using, copying, sharing, or publishing data believed to have been taken from its systems, and to limit further dissemination of the material online. “We understand this situation is concerning for residents, patients, their families, and healthcare providers. We sincerely apologise for any distress this may have caused,” the company said in a public statement, as reported by Stuff.
The company said it is working with New Zealand Police, the National Cyber Security Centre (NCSC), Health New Zealand | Te Whatu Ora, and the Office of the Privacy Commissioner as it responds to the incident. MediMap described the activity as alleged unauthorised access and modification of data and said a review is under way. “Our investigation into the alleged unauthorised access and modification of data is ongoing. We are working to identify any personal information that may have been accessed by an unauthorised third party. Once this process is complete and we have verified the facts, we will contact affected customers directly regarding any necessary next steps,” MediMap said.
MediMap has confirmed that the incident involved changes to demographic fields in some patient records, including names, dates of birth, care locations, assigned prescribers, and resident status. Staff at multiple facilities reported that a proportion of residents were suddenly listed as deceased when they logged in on Feb. 22. Others found that some resident names had been replaced with “Charlie Kirk,” ages had been altered, and residents appeared reassigned to different facilities.
The name of ACT leader and Deputy Prime Minister David Seymour has also been used in the compromised data. Seymour said he was briefed about the use of his name by another minister’s office. “If the breach is political, I’m not going to give them the time of day. The real issue here is the privacy of New Zealander’s data, and the distress it may have caused for their families and loved ones. The government has ongoing work to strengthen cyber security in New Zealand, and incidents like this show why it’s needed,” Seymour said. Health Minister Simeon Brown said he was aware that “political figures” had been named but declined to comment further, instead directing operational questions to MediMap. Prime Minister Christopher Luxon said the incident, following the Manage My Health breach, supported the case for changes to New Zealand’s cyber security settings.
A person claiming responsibility for the MediMap incident has contacted several media outlets, supplying what appears to be a sample of patient records and saying they hold a larger volume of data. They also claimed they would release additional material if unspecified demands were not met. The authenticity of the data and the sender has not been independently verified, and the demands have not been made public. MediMap has not yet confirmed whether any data has been exfiltrated, in addition to being modified. The number of affected providers and records remains unknown, leaving uncertainty around the potential scale of privacy notifications, claims, and regulatory response.
Cybersecurity specialists say the nature of the changes to records and the use of political names may indicate a “hacktivist”-style campaign rather than a conventional financially driven ransomware attack. Adam Burns of cybersecurity firm Blackveil said the activity appears to have centred on altering records instead of encrypting systems or issuing a ransom note. “The attacker wasn’t trying to steal data; they were trying to make a statement. Unfortunately, they made it on the medical records of some of New Zealand’s most vulnerable people,” Burns said, as reported by Stuff. He said that even without data being openly published, incorrect demographic details can have immediate clinical and operational impacts, including where patients are wrongly recorded as deceased or shifted between facilities on screen.
Separately, Jan Thornborough of Outfox, a cybersecurity consultant and former NCSC staffer, said taking the platform offline while the initial investigation proceeds is a standard containment measure. “So, usually in the first 24 to 48 hours, it’s really important for them to assess what’s happened so that they can contain the risk and preserve any evidence so that when they get the right experts in, they can investigate it properly and actually find out exactly how the hacker got in,” Thornborough said, as reported by RNZ. She said the incident should act as a “wake-up call for all New Zealand organisations” about how they select and oversee technology suppliers. “We’re all operating in a digitally connected environment these days and they need to take ownership of where they put their information and who they trust holding on to it because at the end of the day, it’s a shared responsibility between the business and the vendor of a particular piece of software or a portal,” she said.
With MediMap offline, providers have shifted to paper-based systems for medication charts and administration records. Frontline staff describe increased administrative time and risks associated with manual transcribing and checking. For insurers, these changes point to potential operational loss, delayed care, and liability exposure that may intersect with cyber, professional indemnity, and medical malpractice covers. A senior worker at a South Island aged-care facility said that when she logged into MediMap on Feb. 22, about one-third of residents were erroneously shown as deceased. She said that after raising the issue internally, her team was told there was a major problem and instructed to move to paper charts.
Taupō pharmacist Ayman Ibousi said his pharmacy received automated notifications on Feb. 22 indicating around 15 patients had been recorded as deceased. “On Sunday, we got a slew of emails that about 15 patients were marked as deceased, which is impossible to have all 15 of them,” he said. With MediMap unavailable, he said prescriptions now require manual confirmation and reconciliation between general practitioners, pharmacies and residential facilities, with turnaround extending from same-day fulfilment to 24 to 48 hours. “Communications between us, rest homes, and GPs have slowed down a lot, and we have to reconcile medication charts by hand as well, which can lead to errors, medication errors as well, when everything’s on paper,” he said.
Palliative Care Nurses New Zealand said it was “deeply concerned about the impact this may have on the safety, privacy, and delivery of care for our patients,” adding that “any disruption places vulnerable patients at risk.” MediMap said residents and patients “will continue to receive the same level of care while the MediMap system remains offline” and that users are receiving regular updates. “We acknowledge and thank providers and their staff for their professionalism and commitment in ensuring continuity of care during this time. Our priority remains working with our customers to restore our platform as quickly and as safely as possible,” the company said.
The Office of the Privacy Commissioner has confirmed it was notified of the incident and said any breach assessed as involving “serious harm” must be reported under the Privacy Act. The regulator said MediMap would need to determine “the size and scope of the breach and its impact on New Zealanders,” and that people “rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection.”
Health NZ’s acting chief information officer for digital services, Darren Douglas, said Health NZ has activated its cyber incident management team to support MediMap and is coordinating with the NCSC and other agencies. However, he said that as a privately owned business, MediMap is “solely responsible for ensuring the security of its platform and needs to be doing everything it can to manage this incident and minimise any potential impact.”
The MediMap incident is likely to prompt closer scrutiny of cyber risk across digital health platforms, including governance of third-party vendors, dependence on single clinical systems, and aggregation of exposure where one software provider underpins multiple insured facilities. The ongoing outage, potential privacy notifications, and any regulatory or civil proceedings will provide a practical test of how cyber policies, technology errors and omissions, and health-sector liability covers respond to incidents that combine data modification, service interruption, and regulatory scrutiny.
