An individual claiming responsibility for the MediMap data breach says they have deleted information taken from the platform, while insurers and health-sector stakeholders continue to examine the incident’s implications.
The incident involving MediMap, a digital medication management platform used by New Zealand health providers, was identified on Feb. 22 and led to the system being taken offline while investigations proceeded. Providers using the platform reverted to paper-based processes for prescriptions and medication management during the outage. MediMap has obtained an urgent injunction intended to prevent any person from accessing, using, copying, sharing, or publishing data obtained without authorisation. The court action followed contact from a person claiming responsibility for the breach, who approached Stuff and other newsrooms and supplied what appeared to be a sample of patient information.
In a later email to Stuff, the same individual said they had decided to withdraw from further engagement, stating that they had “permanently deleted all data on my end.” Media outlets have reported that they cannot independently confirm the person’s identity, the authenticity of the data sample, or whether the deletion claim is accurate. At this stage, there is no clear indication that the material has been widely released beyond communications with media organisations. The person claiming responsibility used the names of political figures, including ACT leader and Deputy Prime Minister David Seymour, in communications about the incident. They stated that the breach was “not politically nor financially motivated” but did not provide an alternative explanation. One message ended: “Goodbye for now, we are Charlie Kirk,” referring to MediMap records in which some patient names were reportedly altered to “Charlie Kirk,” the US conservative activist who was shot dead in September 2025. Other patients were reportedly marked as deceased in records despite being alive.
Royal New Zealand College of GPs president Dr Luke Bradford said the main clinical risk during the outage related to changing processes. “There are always errors when you transfer from one system to another, especially at haste,” he told Stuff, referring to the move back to manual systems. For underwriters and brokers, outstanding issues include the number and type of records affected, the duration of service interruption, and whether any data was removed from MediMap’s environment or only altered in place. Those points may influence assessments of cyber, professional indemnity and business interruption covers for health-sector policyholders.
Attention has also turned to how the MediMap incident should be described for technical and insurance purposes. MediMap director Geoffrey Sayer has said in media interviews that he had “no reason to believe this was a cyberattack.” He added: “Unfortunately, this is a case of someone stealing credentials and using those credentials of a legitimate user of MediMap to cause this harm.” Cybersecurity specialists have taken a different view. Adam Burns of cybersecurity firm Blackveil said that, in his assessment, the activity remains within the scope of a cyber incident. “If it was stolen credentials, then the attack vector is what I keep saying, weak domain/dns/email authentication which allows brand impersonation and phishing attacks,” he said.
Luke Taylor, chief executive of SSS Cybersecurity, compared the situation to physical security. He said MediMap’s stance was “like saying your house wasn’t burgled because the intruder used a copied key instead of breaking a window.” He added: “Credential-based attacks aren’t a lesser category of cybercrime. They are cybercrime.” For insurers, the way credential theft, authentication weaknesses, and phishing are documented may be relevant to policy definitions of “unauthorised access,” “security failure,” or “cyber event,” as well as to conditions around minimum security controls.
The pattern of activity at MediMap has led some specialists to suggest the case has elements of “hacktivism” rather than a traditional ransomware or pure data-theft model. Burns said publicly reported activity appeared to focus on altering existing records rather than encrypting systems or issuing a ransom demand. “The attacker wasn’t trying to steal data; they were trying to make a statement. Unfortunately, they made it on the medical records of some of New Zealand’s most vulnerable people,” he told Stuff. He noted that incorrect demographic details can have immediate clinical and operational effects even if information is not openly published, particularly where patients are wrongly recorded as deceased or moved between facilities within systems.
Cybersecurity consultant and former NCSC staffer Jan Thornborough of Outfox said taking a platform offline in the early phase of an incident is a standard containment measure. “So, usually in the first 24 to 48 hours, it’s really important for them to assess what’s happened so that they can contain the risk and preserve any evidence so that when they get the right experts in, they can investigate it properly and actually find out exactly how the hacker got in,” she told RNZ.
Thornborough also said the case should act as a “wake-up call for all New Zealand organisations” when assessing technology suppliers. “We’re all operating in a digitally connected environment these days, and they need to take ownership of where they put their information and who they trust holding on to it because at the end of the day, it’s a shared responsibility between the business and the vendor of a particular piece of software or a portal,” she said. Grey Power New Zealand has said the breach has affected confidence among some older people who rely on digital health tools for medication management and care coordination. National president Gayle Chambers said older New Zealanders should not have to worry about the accuracy or security of their health records, and the group has called for stronger cyber safeguards across the sector.
The MediMap event follows earlier disclosure by Canopy Healthcare of a separate cyber incident and comes amid ongoing attention to how quickly organisations notify affected individuals and regulators. Canopy Healthcare – owner of providers including Canopy Imaging (formerly TRG Imaging), Absolutely Radiology, Canopy Cancer Care, and Auckland Breast Centre – wrote to patients in January 2026 regarding a cyber incident first identified on July 18, 2025. The company told patients that “an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team.” It said clinics, patient services, and core electronic health record systems “were not affected” and continued to operate, and that the data potentially accessed included names, contact details, and referral information.
Canopy notified New Zealand Police and the Office of the Privacy Commissioner and obtained a High Court injunction to restrict any use or publication of data that may have been accessed. As a private provider, it is not regulated by the Ministry of Health but is subject to the Privacy Act 2020 and the Health Information Privacy Code. In its email, Canopy said there was “no indication that any credit card, banking information, or identity documents were affected.” On its website, however, the company stated: “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.” For underwriters, the notification timeline and the differences between direct and online communications may be relevant when reviewing compliance with policy conditions on prompt notice of circumstances, regulatory engagement, and communication with affected parties, as well as any potential for class or representative claims.
The sector is also addressing the December 2025 ransomware attack on Manage My Health (MMH), a GP patient portal used throughout New Zealand. MMH has reported that attackers gained unauthorised access to its New Zealand application and health information on Dec. 30, 2025, accessing personal health documents for about 120,000 people. Threat actors reportedly demanded US$60,000 (about NZ$104,000) and began publishing data on the dark web, warning they would release “everything they have” if payment was not made within 48 hours.
MMH has said it has contacted most individuals whose information was affected and has warned of potential follow-on scams. “We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said. It has indicated that further technical controls are under consideration and has issued guidance to users on recognising suspicious approaches. The compromise involved a document storage component of the portal rather than general practice clinical systems, but if fully released the data set could include medical correspondence and clinical summaries for more than 120,000 New Zealanders.
Across MediMap, Canopy, and MMH, insurers and brokers are considering the extent of cyber and privacy risk in health-sector platforms that aggregate demographic and clinical data from multiple providers. Areas of focus for insurance professionals include:
Systemic and aggregation risk is also in view, given that a limited number of digital platforms support a significant proportion of New Zealand health providers. As investigations into the MediMap incident continue, the market is watching how affected organisations manage system restoration, patient communication, and regulatory engagement, and how those responses may influence cyber cover, pricing, conditions, and underwriting scrutiny in New Zealand’s insurance sector.
