Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Manage My Health cyberattack puts Wairarapa patient data under scrutiny

Tuesday, 6 January 2026

Manage My Health was the target of a ransomware attack on December 31. Two medical practices in Wairarapa use the portal. (File photo)
Manage My Health was the target of a ransomware attack on December 31. Two medical practices in Wairarapa use the portal. (File photo)

Patients at two Wairarapa GP practices will soon find out whether their personal data was compromised in a major New Year’s Eve cyberattack on a patient portal.

Carterton Medical Centre and Whaiora in Masterton use Manage My Health to connect patients to their health records, lab results, prescriptions, and appointment booking online.

On December 31, Manage My Health, used by about 1.8 million patients nationwide, was targeted by a hacking group.

The ransomware attack extracted patient-related data that the hackers claimed could potentially affect more than 126,000 users and involved more than 400,000 files.

As of Monday morning, Manage My Health had been given 48 hours to pay a ransom of US$60,000 (about NZ$104,000) or “we will leak everything”, a statement from the hackers said.

Manage My Health
Manage My Health's Auckland offices. The company says it has begun legal action to protect clients’ data.

Whaiora chief executive Jake Carlson said he understood that affected clinics and patients would be notified by “close of play” on Monday.

At the time of going to print, Carlson had not received official confirmation but said: “It looks like we are unaffected.”

He described the data breach – which according to Manage My Health targeted the health documents module within the portal’s app, not the whole app – as “very concerning”.

“We take the information that we hold of our patients with a great deal of responsibility,” he said. “It’s sensitive information just to fall into the wrong hands, so to speak.”

Carlson said the incident brought the conversation about Māori data sovereignty – that is, the rights Māori have to data that relates to Māori – and indigenous approaches to collecting and storing sensitive information “back to the forefront”.

“I think that's certainly something we should be paying more attention to. How do we be guardians of our own information?”

Masterton Medical discontinued its use of Manage My Health early last year and migrated its thousands of patients to an alternative provider, Vensa.

Practice manager Robyn Wilson said the clinic believed Vensa was a “superior product” and had been assured by the new provider it was secure.

Dr Luke Bradford says New Zealand needs to ensure that companies running patient portals are “meeting standards when it comes to such sensitive data”.
Dr Luke Bradford says New Zealand needs to ensure that companies running patient portals are “meeting standards when it comes to such sensitive data”.

Practices in South Wairarapa were understood to use the MyIndici patient portal.

Manage My Health, a private company owned by businessman Vino Ramayah, said an independent forensic investigation was under way and “the specific vulnerability that allowed unauthorised access has been identified, patched, and independently verified by external cybersecurity specialists”.

The company’s spokesperson said they knew who had been affected and were working with health partners to “provide a time frame for communications this week”.

Legal action to protect clients’ data had begun, the spokesperson said, while the ransom demand was being handled by police, who confirmed they had been informed of the incident on January 1 and were investigating.

Dr Luke Bradford, president of the Royal New Zealand College of General Practitioners, said patient portal apps were extremely useful health tools but a lack of standards for private companies developing them had left patients and clinics vulnerable.

“We probably did not have stated standards which were being monitored, measured, assessed and companies held accountable to for the protection of what is patient data,” he said.

“It’s in that murky zone [in that it’s] a private business, so the Ministry [of Health] can’t control it.”

He hoped fast action to establish enforceable standards would follow.

“We need to make this better, ensure that the companies are meeting standards when it comes to such sensitive data.”

Adam Burns, a cybersecurity professional based in New Zealand who had been independently monitoring Manage My Health since the breach, said the attack was “preventable”.

He concurred with Manage My Health’s statement that the company had secured its storage issue but said that was “a difference between fixing the specific exploit and fixing your overall security posture”.

Issues such as weak encryption keys and missing security headers were still present on a scan he conducted on January 5.

“They've locked the door the attackers came through. I’m pointing out there are other windows that could use attention immediately post-breach.”

Burns hoped the incident would be the catalyst for long overdue, urgent change.

“There needs to be some massive change in our industry, in the cybersecurity industry, and across every other industry, especially with critical data, such as health and finance.”