Health data hacker claims Manage My Health had time to act

Monday, 5 January 2026

As more of New Zealand’s private health data is drip-fed on line, the purported hacker behind the Manage My Health attack claims the company had time to protect the sensitive information.

A person, who The Post has agreed not to name but who has access to the purported hacker’s dark web and Telegram postings, said 181 fresh files were uploaded on Sunday. They came after an earlier 30 were published in an apparent proof-of hack late last week.

The fresh batch included PDFs of pictures of patients, passport details, and sensitive diagnoses, the source said.

Read More:

• ​More than 120,000 Kiwis’ health data breached​

• Inside NZ’s under-reported cyber war

• Health NZ: a diagnosis and the first step to recovery

The privately owned Manage My Health portal, used mainly for GPs and patients to communicate, was hacked on December 30 but it was not until January 1 that police were notified. The hacker has asked for a US$60,000 (NZ$104,000) ransom and over the weekend shortened the deadline from January 15 to Tuesday morning.

Manage My Health’s Auckland-based owner Vino Ranayah was asked on Sunday if the 120,000-odd patients whose information was hacked had been informed, whether he would apologise, if he was confident he could stop the release of more information, and if the ransom would be paid. He did not respond.

But a statement from a public relations firm for Manage My Health said affected patients had been identified and would find out which documents were accessed “in the coming days”.

Te Whatu Ora on Sunday said it expected Manage My Health to share a timeframe for notifying affected patients by Tuesday.

The Post has seen an announcement from someone claiming to be the hacker put on secure messaging site Telegram.

“This information should be announced by the company to acknowledge users, not me,” they said.

The vulnerability was found “weeks before the breach was announced, giving the company a chance to protect users before the data breach happened”.

The poster, which appeared to be a group, alleged the Manage My Health team “ignored basic safety protocols”.

Health data was targeted because it was so sensitive: “Even if the company doesn’t pay the ransom, we can still find buyers for this data.”

They went on to say they were not politically motivated and “our main goal is money and building a good relationship in the [hacking] community”.

Manage My Health in a weekend statement said its system was now secure and it was just the “health documents” section that had been breached for 6% to 7% of its 1.8 million users.

“Keep an eye out for anything unusual, such as medical bills or insurance claims you don’t recognise, or unexpected letters from healthcare providers,” it warned users.

“If you see anything that looks odd to you, contact the relevant provider immediately.”

It planned to have an online helpdesk and dedicated 0800 support number set up early this week for concerned patients and clinics.

The company said it was seeking a court injunction to prevent unlawful use of the data. It would not comment on the shortened deadline as it was apparently a matter for police, who could not confirm it on Sunday.

The alleged hacker’s claims were put to Manage My Health.

Te Whatu Ora Health NZ confirmed it was supporting the injunction.