Manage My Health (MMH), a privately operated patient portal used by general practices across New Zealand, has confirmed a cyber security incident involving unauthorised access to its New Zealand application and health information.
The company said it was first alerted to the incident in late December 2025 and has since made changes to its systems in response. Manage My Health has engaged independent international forensic consultants to review those actions and determine what information was accessed. Preliminary internal analysis indicates that between 6% and 7% of the portal’s approximately 1.8 million registered users may have been affected. The company has started identifying potentially impacted individuals and expects to begin direct notifications in phases.
Chief executive officer Vino Ramayah said the company is aware of the implications for patients. “We understand how personal and sensitive health information is, and we recognise the stress an incident like this can cause. Our team is working hard to identify those affected, and to communicate directly and transparently,” Ramayah said. Manage My Health has notified the Office of the Privacy Commissioner and New Zealand Police, and is working with Health New Zealand and other organisations in relation to the incident.
The company plans to notify general practices before contacting affected patients. Practices are being given access through Manage My Health’s secure Provider Portal to confidential lists of their impacted patients, along with information to help them respond to inquiries.
Under the Privacy Act 2020 and the Health Information Privacy Code, the responsibility to notify individuals generally sits with the agency that holds their information. Where patient records originate from multiple organisations, there may be several data controllers with separate notification obligations. That structure requires coordination between Manage My Health, Health New Zealand, GP practices, and other providers on how and when patients are informed.
Manage My Health has said it will publish regular updates on its website and provide a detailed FAQ for providers and patients. It is also directing users to the government’s Own Your Online website for advice on online security practices. A dedicated 0800 helpline for affected patients is planned once the notification process to practices has progressed, with further details to be released in a later update.
Manage My Health has obtained injunction orders from the High Court preventing third parties from accessing data that may have been posted as a result of the incident. The company has an international team monitoring known data leak websites and says it will issue takedown notices if stolen information is detected.
“A cyberattack is criminal activity, and any unlawful use of private client information will be subject to legal action and takedown orders,” the company said in its statement. Any ransom demands related to the incident are being handled by New Zealand Police, and Manage My Health has declined to comment further while the investigation continues. An independent forensic investigation by specialist cyber security consultants is ongoing. Manage My Health has said it cannot comment on specific technical findings while that work is under way.
The incident has prompted a formal review ordered by Health Minister Simeon Brown, focusing on how Manage My Health and Health New Zealand prepared for and responded to the breach. “I know this breach will be very concerning to the many New Zealanders who use ManageMyHealth, and we need assurances around the protection and security of people’s health data. Patient data is incredibly personal, and whether it is held by a public agency or a private company, it must be protected to the highest of standards. I have decided to commission the Ministry of Health to lead a review of the ManageMyHealth and Health New Zealand’s response. We must learn from this incident, to avoid any repeat events in the future,” Brown said.
The review will examine the causes of the incident, evaluate the adequacy of data protections and the incident response, and recommend improvements to reduce the likelihood and impact of similar breaches. Brown has asked that the review begin no later than Jan. 30, with terms of reference to be developed in consultation with the Government Chief Digital Officer and the National Cyber Security Centre (NCSC). Health New Zealand has advised that its own systems were not affected. It is working with primary care providers through General Practice New Zealand to clarify potential impacts on patients and practices. General practices remain open and continue to provide services.
The Manage My Health breach coincides with growing reported financial losses from cyber incidents in New Zealand, including in sectors that rely on large volumes of sensitive data. In its Cyber Security Insights report for the quarter from July 1 to Sept. 30, 2025, the NCSC received 1,249 incident reports. While volumes were close to earlier periods, direct financial losses in the quarter reached $12.4 million, compared with $5.7 million in the previous quarter.
For insurers, brokers, and risk managers, the case highlights several areas of focus: reliance on third-party platforms in healthcare, the complexity of multi-party notification duties, potential liabilities around privacy and communication, and the increasing use of court orders and active online monitoring in breach response strategies. The outcome of the government review is likely to inform expectations on cyber security controls, vendor oversight, and incident-management planning across health and other data-intensive sectors.
