$100,000 Manage My Health breach: Two days to tell police, users
Friday, 2 January 2026
Privately-run medical portal Manage My Health waited two days before telling police and users about a ransomware attack affecting about 120,000 patients’ personal medical information.
Manage my Health has confirmed hackers have demanded a US$60,000 (NZ$104,000) ransom for the information.
In an update on Friday afternoon, Manage My Health said it first became aware of the breach on Tuesday. Police have confirmed they were told about midday on Thursday – the same day Manage My Health put a “holding statement” on its website.
“On becoming aware of the issue, our immediate priorities were to secure the platform, prevent any further unauthorised access, and preserve system evidence for forensic investigation. Independent cyber security and forensic specialists were engaged at that point,” a statement from the Auckland-owned company said.
Read More:
Patient data at risk over ‘dangerous’ IT job cuts at Health NZ, union warns
Government vows to fix decades of delay with unified patient record
Are you affected or do you know more? Email editor@thepost.co.nz
“The Office of the Privacy Commissioner was notified and we have remained in active contact with the Commissioner’s Office since that time.”
It believed about 7% of its 1.8 million customers – about 126,000 – were affected and the breach appeared contained to a “specific group of documents”.
“Preliminary investigation reveals no evidence at this stage that the core patient database was accessed, nor any evidence of data modification or destruction within our system, nor any access to user credentials.”
A Manage My Health spokesperson earlier said it had not yet decided if it would pay the ransom. The danger of paying was the hackers would use the payment to extort more money, he said.
The New Zealand Government says ransoms should not be paid.
Manage My Health is a patient portal to deal with primary care physicians. It holds private medical data including subscriptions, test results, national health numbers and communication between GPs and patients.
The Manage My Health spokesperson said “up to” 10 staff were on duty during the holiday period. The service was a “private enterprise” and got no Government funding for Manage My Health.
“Manage My Health earns revenue from healthcare providers through subscriptions, transaction fees for bookings, payments and messaging, plus enterprise contracts, integrations, and digital health services,” he said.
Ransom demanded - but for what information?
The Department of Prime Minister and Cabinet warns ransoms should not be paid. Payment would not guarantee the end of an incident nor that data would be returned, but did provide a financial incentive for hackers.
Payments to a sanctioned state, such as Russia, could breach sanctions rules and result in a fine of up to $1m for organisations or up to seven years in jail and a fine up to $100,000 for individuals.
Manage My Health, owned by Aucklander Vinogopal Ramayah, has not responded to emailed questions.
Questions put to the company include what patient data was accessed, including personal medical records, test results, prescription details, national health numbers, and names and addresses.
Simeon Brown urged to return to work
Meanwhile, Health Minister Simeon Brown - who says he’s been briefed twice and is working with officials - is accused of being missing in action.
“We need confidence the minister is there,” said Green health spokesperson Hūhana Lyndon.
“This is a breach of significance,” she said.
Labour spokesperson Megan Woods said New Zealanders deserved to know what private health information was obtained by cyber criminals, and “the Minister needs to be able to account for whether this has happened or not”.
“The health system doesn't go on holiday,” she said.
Brown first issued a statement on Thursday evening saying Health NZ systems including My Health accounts had not been accessed. My Health accounts are linked, but separate to, Manage My Health.
Brown said he was briefed on the incident on Thursday afternoon. The situation was a “concerning breach of patient data” and and Te Whatu Ora Health NZ was working closely with Manage My Health to make sure it was being appropriately addressed.
“At this stage, there is no evidence any Health NZ systems, including My Health Account, have been compromised as ManageMyHealth has separate systems
“I have been advised that there is no clinical impact on patient care as a result of this cyber incident, and health services continue to operate as normal,” he said in that emailed statement.
“I expect Manage My Health will continue to keep the public informed as more verified information becomes available and will put appropriate measures in place to ensure patient safety and privacy are protected and given the highest priority.
“I also expect a coordinated and robust response, and Health NZ is keeping me updated.”
His office on Friday morning issued a fresh statement, saying he was first briefed on the situation on New Year’s Eve, a day earlier than first stated. He was then updated on New Year’s Day, a spokesperson for his office clarified.
“Manage My Health, as a private company, is responsible for the management of its systems and communications,” he said on Friday when asked if he would return to work.
“We expect it to communicate transparently with users about the incident and the actions being taken. Further questions should be directed to Manage My Health.”
Brown’s office later called The Post to say he was working.
“The Minister is actively engaged on this matter and is working with officials on this serious issue and receiving regular updates from officials. He received an initial heads-up on 31 December and met with officials yesterday for a full briefing.
“He will continue to be updated and meet with officials as required.”
A Health NZ statement said it was working with a range of government agencies to manage the breach. This included bringing in its own “cyber specialist capability”.
It was also talking to primary care organisations and GPs that used the service.