Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Impacts of Manage My Health data breach echo throughout Wairarapa

Thursday, 8 January 2026

Some ex-Manage My Health users reported being advised to change their password on the site when they tried to access it earlier this week.
Some ex-Manage My Health users reported being advised to change their password on the site when they tried to access it earlier this week.

The impact of the New Year’s Eve cyberattack on Manage My Health continues to unfold across the region, with former users of the platform potentially affected by the data breach.

Patients at Wairarapa Medical, which used to use the private patient portal at two of its three South Wairarapa practices before migrating to MyIndici, had been given instructions by email on how to close their old Manage My Health accounts.

To “opt out”, patients were advised to sign in, navigate to My Account and choose “Close Account”.

“Your information is removed when you close your account,” the email said.

Other former Manage My Health users reported being advised to change their password on the site when they tried to access it earlier this week.

Alec Birch, a patient at Masterton Medical, which stopped using Manage My Health last year and migrated patients to an alternative provider called Vensa, said he hadn’t heard from the practice as to what to do with his legacy account.

“I don't know if we have been impacted [by the breach],” Birch said, but the cyberattack had dented his trust in these types of platforms.

“They seem like a good idea at the time, but then they turn around and bite you on the backside,” he said.

Masterton Medical was approached for comment about how it was communicating with patients but had not responded in time for this story.

Dr Buzz Burrell, chairperson of General Practitioners Aotearoa, said the medical profession’s trust had been broken as a result of the Manage My Health breach.

Patient portals such as Manage My Health were a “very well-advertised bandwagon” about a decade ago which doctors were strongly encouraged to “jump on”.

“We trusted a system … in hindsight, that was artificial trust, and when trust is breached in any shape or form … it takes a long time, if ever, to recover from that.”

To Burrell, the Manage My Health cyberattack was a symptom of successive governments’ “hands-off” approach to primary care and general practice.

The management, profitability and viability of general practice had been put “firmly in the hands of GP ownership”, Burrell said, which had created a fragmented, vulnerable service and workforce.

In a letter from General Practitioners Aotearoa, sent on Wednesday, Burrell asked the Privacy Commissioner whether GPs and employed doctors were vulnerable to “vicarious liability” as a result of the Manage My Health cyberattack and who would pay for financial damages if there are civil cases taken against practices by patients affected by the breach.

Burrell said these were live unanswered questions raised by General Practitioners Aotearoa members, in calls and emails he’d fielded since the attack was made publicly known on New Year’s Eve.

“There is an appropriate nervous vulnerability now of doctors working in New Zealand, not only for this [cyberattack], but for the next one,” he said.

Adam Burns, a cybersecurity expert with New Zealand company Blackveil, advised current or former Manage My Health account holders to remain vigilant even after following the account closure protocol and to consider making a written request to the company to ensure data had been deleted.

According to his scan of the Manage My Health site on Wednesday, issues such as weak encryption keys and missing security headers were still present.

Simeon Brown, Minister of Health, acknowledged the breach was “very concerning” to those who used the Manage My Health platform and said patient data 'must be protected to the highest of standards“.

According to advice he had received, “individuals can close their own accounts and Manage My Health has advised that it will delete all information 90 days later”.

“It is my expectation that patients’ health records are secure and held in accordance with the law. This is why I have asked the Ministry of Health to review this breach and Manage My Health’s response to it.”

In a statement on its website, Manage My Health said it would begin notifying patients by email in the next 24 hours and hoped to complete this process by early next week.

The company had also obtained injunction orders on an interim basis from the High Court preventing third parties from accessing any stolen data.

Court documents put the number of affected patients at 127,000 and the number of documents stolen at 430,000.