Cyber Incident Victim: ManageMyHealth
Date:
Dec 2025
Location:
New Zealand
Summary
A ransomware group exploited compromised credentials to breach a trans-Tasman health portal, exfiltrating approximately 108 gigabytes of sensitive medical and personal data affecting over 100,000 patients. The attackers accessed specialist referral documents through insufficient access controls, subsequently demanding a $60,000 ransom while leaking sample patient records via Telegram. The incident prompted a High Court injunction against third-party data access and an official government probe into the company's security practices. Patients were not directly notified of the breach, learning of the compromise through website notices and media reports after the platform was secured. The portal's CEO confirmed his personal medical records were among the stolen data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ManageMyHealth data breach began on December 30, 2025, when the trans-Tasman patient portal provider was notified by the ransomware group Kazu that it had breached systems and exfiltrated approximately 108 gigabytes of patient data. The attackers exploited insufficient access controls, entering "through the front door using a valid user password" to compromise a single system module containing health documents from specialist referrals. This module held medical information and personal data for between 111,000 and 129,500 patients, representing six-to-seven percent of the platform's 1.85 million registered users since 2008. Kazu subsequently demanded a US$60,000 ransom and published sample patient records on Telegram to substantiate their claims, including the medical records of ManageMyHealth's CEO. The breach was not detected internally but disclosed externally by the attackers, with no evidence suggesting this was a technically sophisticated or targeted intrusion.

Patients and general practitioners first learned of the incident when encountering a website or mobile app notification stating a cybersecurity investigation was underway, as ManageMyHealth issued no direct user communications. Public awareness developed gradually through social media discussions and subsequent news coverage over several days. The company eventually posted a frequently asked questions page confirming the breach scope days after the initial intrusion. ManageMyHealth disabled its mobile application entirely, assured users the platform was "secure to use" after containment measures, and advised against engaging with Kazu. A New Zealand High Court injunction was obtained to prohibit third parties from accessing or distributing the stolen data. The incident triggered an official government review by New Zealand's Health Minister to examine the breach's causes and evaluate whether existing data protections met adequacy standards, with potential fines under New Zealand privacy legislation capped at NZ$10,000. Operational impacts included disrupted patient access to health records, appointment bookings, and prescription services through the portal, while legal exposure remained higher in Australia due to substantially larger potential penalties for serious breaches.
