Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Manage My Health hacker ‘in negotiations’, sets new Friday deadline

Tuesday, 6 January 2026

Auckland-based Manage My Health has been the target of a ransomware attack with $104,000 demanded. The hacker posted, top right, a 48-hour deadline on Sunday but, as that expired on Tuesday morning, told The Post they were in negotiations (bottom right).
Auckland-based Manage My Health has been the target of a ransomware attack with $104,000 demanded. The hacker posted, top right, a 48-hour deadline on Sunday but, as that expired on Tuesday morning, told The Post they were in negotiations (bottom right).

The Manage My Health hacker, holding private data on more than 120,000 Kiwis, has set a new deadline for resolution – 5am on Friday.

The hacker had set an early Tuesday morning deadline but, as that passed, confirmed to The Post that they had entered negotiations with privately owned Manage My Health and would “not share the files during the communication period”. Manage My Health was approached for confirmation.

The hacked later confirmed they had set a 5am cut-off time for those negotiations.

Read More:

According to their earlier online statement, they appeared to have two options if the US$60,000 ($104,000) ransom was not paid: Release the information or sell it. The 48-hour period ended shortly before 6am on Tuesday. They appeared to favour the former.

The hack, which accessed private health files of about 126,000 New Zealanders, happened on December 30. Some sensitive health information has already been posted on the dark web.

The privately owned portal, used for communication between patients and doctors, saw about 7% of its 1.8 million users affected. At the time of publishing, individuals were yet to be notified over whether their private information had been compromised.

Minister of Health Simeon Brown says the incident is a “wake-up call”. (File photo)
Minister of Health Simeon Brown says the incident is a “wake-up call”. (File photo)

In an exclusive interview with The Post, Health Minister Simeon Brown said that in his view Manage My Health had been “acting too slowly and not communicating as effectively as they should be”.

“We are taking this incredibly seriously because it is patients’ most private information which has been hacked, and our expectation is Manage My Health takes it incredibly seriously too,” he said.

Brown said the company had advised him it was “preparing for a rapid notification process”, and he had made his expectations clear that it should do so “as quickly as possible”.

He said the scope of a government review announced on Monday would include how the breach had happened as well as the response. The incident was “a wake-up call”.

“There are a large number of organisations who hold patient information, and it is New Zealanders’ expectation that it is held to the highest of standards … We are not immune [to hacking] and we have to take the precautions necessary in order to protect our data.”

As of Monday, he said “forensic work” by government agencies was underway to determine what country the hack had come from.

Brown said that, like a number of Kiwis, his family used digital applications for medical services. “I think this is an incredibly disturbing and difficult situation. I feel for every patient who has had data which has been breached.”

After a stinging rebuke earlier in the day, on Monday evening Manage My Health apologised for the “pain and anxiety” the incident had caused.

In a statement it acknowledged it could have done better with communications, “however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients”.

Manage My Health
Manage My Health's Auckland offices.

The company said it welcomed the minister’s review and would cooperate fully.

It also said it had been granted injunction orders from the High Court preventing third parties from accessing any data posted as a result of the incident.

“We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.”

Courts confirmed Manage My Health filed for an injunction on Monday. The injunction aims to stop people spreading released information rather than stopping the hacker themselves.

Manage My Health has not said whether it would pay the ransom.

When The Post visited Manage My Health chief executive Vino Ramayah’s waterfront Auckland home on Monday, a person at the property said he was in the office. At the Viaduct-area office, nobody would answer the door despite people being inside. Ramayah did not return text messages or calls on Monday.

The Privacy Commissioner confirmed it was notified of the breach at 3.30am on January 1 – two days after Manage My Health knew – and it would investigate. It was too early to anticipate any further action.

“We will expect Manage My Health, like any health agency, to be able to demonstrate to the regulator that it had appropriate safeguards in place, and where these were not sufficient, what steps will be taken to prevent such an incident happening again,” it said in an emailed statement.

Comments are moderated during working hours and may not appear immediately.