Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Private health records surface on dark web after Manage My Health hack

Sunday, 4 January 2026

The Manage My Health online portal with a message for users about a data breach.
The Manage My Health online portal with a message for users about a data breach.

Private health records, linked to the Manage My Health ransomware attack, appear to have already surfaced on the dark web, revealing patients’ most delicate medical details online.

While the download link for the documents had been removed by Friday afternoon, Manage My Health confirmed it was aware some data had been posted.

One clinic affected by the breach and whose documents were online said they had been told not to comment by Te Whatu Ora and WellSouth, and directed comments to Manage My Health.

A person with technical knowledge who said the information was relatively easy to find said it appeared to be proof of the wider operation.

“I’m increasingly concerned that the seriousness of this breach is still not being clearly explained or acknowledged.”

But the breadth has been. Manage My Health - a private-enterprise owned by Aucklander Vinogopal Ramaya - has said that about 120,000 Kiwis’ private health data had been compromised. On Friday it also confirmed that a US$60,000 (NZ$104,000) ransom had been demanded.

“I’m not saying we won’t or will [pay it],” said a spokesperson, adding that the danger was the hackers would use the payment to extort more money. Government guidelines also warned against payments, and those to sanctioned states such as Russia could result in hefty fines or jail time for organisations and individuals.

Manage My Health is an online portal used by about 1.8 million New Zealanders. Its privacy policy says it takes reasonable steps to ensure personal information is “stored in a secure environment, and protected from unauthorised access, modification or disclosure”. Servers were hosted in a secure environment by a reputable vendor, it says.

“Manage My Health cannot be held liable in any way for events beyond our control or in any way for accidental or unauthorised access of your information.”

In an update on Saturday, it said it would be “commencing legal action to protect our clients’ data”.

Forensic cyber security specialists had secured the website and identified those whose data had been leaked - about 6-7% of its 1.8 million registered users.

“The investigation has identified that one module, health documents, within the app was compromised, not the whole app.”

It would be notifying those affected and launching an online help desk and phone line for its users and GPs from early next week.

That information, according to College of GPs medical director Luke Bradford, ranged from prescriptions and medications to test results and notes between medical teams. Operation and procedure details could also be included.

The leaked documents appeared to be correspondence between patients and doctors and seemed to be chosen as subjects to get attention, he said.

Yet the hack had already got plenty of attention. On Friday, even before they knew that some of the information was circulating on the dark web, worried New Zealanders spoke of their concerns. One of them, a Wellington woman, said the consequences couldn’t be underestimated.

“Your GP is the first point of call for everything - addiction, sexually transmitted diseases, mental health - the most private details there are. What if some young person has had an abortion they want to keep secret? What if my employer finds out I’m being treated for something serious, or even embarrassing? This isn’t just life changing, it could be life ending.”

Another patient said he was currently just waiting to hear “what everyone else might soon know about me”. His medical centre had automatically signed him up to Manage My Health and he had assumed it was a system run by the government.

“I had no idea that my private information was being held by a company making money off it. How does that happen? How’s that allowed?”

Manage My Health waited two days, from Tuesday to Thursday, before notifying police of the ransomware attack and putting a “holding statement” online to alert patients.

On Friday, while the company said Ramaya was unavailable for an interview, it did release a statement providing “additional factual clarification”.

Chris Finlayson KC, a former GCSB minister, says the breach is one of the most serious he’s heard of.
Chris Finlayson KC, a former GCSB minister, says the breach is one of the most serious he’s heard of.

“Preliminary investigation reveals no evidence at this stage that the core patient database was accessed, nor any evidence of data modification or destruction within our system, nor any access to user credentials.”

The Office of the Privacy Commissioner and Te Whatu Ora Health NZ have also been involved, with Health NZ bringing in independent cyber specialists, it said. The National Cyber Security Centre and the Police Cyber Crime Unit were also involved.

Manage My Health was leaving it for police to identify the hackers and was “cautious about drawing conclusions while that work continues”. It also recommended that users regularly update their passwords.

But Chris Finlayson, a lawyer and former GSCB minister, said the response fell well short of what it should be.

“The privacy of individuals is of supreme importance. It’s not enough for agencies to say, ‘we’ll learn from these mistakes’, because these mistakes shouldn’t have been made in the first place.

“When you’re dealing with confidential information then the onus is on you to provide whatever safeguards are required.”

And when they’re not? Finlayson said it would be interesting to know if Manage My Health had insurance.

“It’s one of the most serious data breaches I have ever heard of. There needs to be some accountability and, whether it’s civil liability or whatever, it is up for the Crown Law Office to advise the Government on.”

Health Minister Simeon Brown, meanwhile, has been accused of being missing in action while the full scale of the Manage My Health crisis becomes clear.

The ransomware attack struck as Government ministers are on summer break, leaving just duty ministers in charge. Brown’s office said he had two briefings and was staying on top of the situation.

Health Minister Simeon Brown, despite saying he’s being kept up to date with the hack, has been urged by opposing parties to get back to work.
Health Minister Simeon Brown, despite saying he’s being kept up to date with the hack, has been urged by opposing parties to get back to work.

Green Party health spokesperson Hūhana Lyndon said “we need confidence the minister is there”, adding Brown had to “get back to work” and deal with the matter urgently.

Labour spokesperson Megan Woods said New Zealanders deserved to know what private health information was obtained by cybercriminals, and “the minister needs to be able to account for whether this has happened or not. The health system doesn't go on holiday”.

Te Whatu Ora Health NZ on Friday said it was working with Manage My Health and a range of government agencies to handle the situation. It had brought in “independent cybersecurity capability” to help.

“We expect MMH [Manage My Health] to meet clear standards around system security, transparency, and communication with users,” a Health NZ statement said.

“Health NZ will continue to monitor progress closely and maintain active engagement with MMH and partner agencies.”

Public Service Association national secretary Fleur Fitzsimons said the health system’s data protection was a “ticking time bomb” - a warning she had been sounding since last summer.

While Manage My Health was an entirely private enterprise - it earns revenue from healthcare providers through subscriptions, transaction fees, payments and messaging, and other services - Fitzsimons called the breach a “wake-up call for the entire health sector in New Zealand”.

“This will happen again with patient data held by hospitals, because of Government cuts imposed on Health New Zealand. Like Manage My Health, our hospitals are also using outdated systems and have lost experts who understand their quirks through the redundancies and downsizing.”

In early February, Fitzsimons wrote to the Privacy Commissioner about the union’s concerns over data security.

On Friday, she reiterated the request for the Privacy Commissioner to investigate Te Whatu Ora’s security.

But the commissioner said ongoing talks with Te Whatu Ora meant there was no need for a review.

“The Privacy Commissioner has ongoing discussions with Health New Zealand around its privacy and personal information responsibilities as part of its regular monitoring relationship. For this reason no formal investigation has been initiated,” the commissioner said in a written statement.

Manage My Health urged its users to reset their passwords or enable two-factor authentication for “peace of mind” and added protection.

“In addition, keep an eye out for anything unusual, such as medical bills or insurance claims you don’t recognise, or unexpected letters from healthcare providers. If you see anything that looks odd to you, contact the relevant provider immediately.

“You can also report anything suspicious to the New Zealand Police via police.govt.nz and report any suspected scam calls or emails to CERT NZ via cert.govt.nz.”

*CLARIFICATION: This story has been updated to clarify that the Privacy Commissioner has ongoing discussions with Health NZ, and that means a formal inquiry about data security is not needed. (Amended: Sunday Jan 4, 11.57am)