Breach Overview and Investigation Findings
A New Zealand Privacy Commissioner inquiry has concluded that both patient portal provider Manage My Health (MMH) and Health New Zealand (Health NZ) failed to protect sensitive patient data during a December 2025 cyber breach. The incident compromised medical records of up to 126,000 New Zealanders, with approximately 91,000 patients from Northland directly affected. The hacker group Kazu exfiltrated about 108 GB of data, including 428,000 files containing clinical notes, lab results, vaccination records, medical photographs, names, emails, and phone numbers. The attackers accessed the My Health Documents section of the MMH app using a valid user password, demanded a US$60,000 ransom, and posted sample data on a hacking forum.
Implications for Healthcare Security and Compliance
The inquiry found that MMH lacked adequate systems to detect large scale data access, while Health NZ was deficient in specialist privacy and security staff and relied on subpar risk assessments. Both organizations breached Rule 5 of the Health Information Privacy Code. For healthcare CISOs and compliance officers, this case highlights critical vulnerabilities in patient portal security, including the need for robust anomaly detection, multifactor authentication, and dedicated privacy personnel. The breach exposed the risks of relying on single factor password authentication for accessing sensitive health data, and the importance of supply chain security assessments for third party patient engagement platforms. Compliance notices will be issued, and Health Minister Simeon Brown has commissioned a Ministry of Health review of the incident response. MMH CEO Vino Ramayah admitted the company dropped the ball and offered to resign, describing the breach as a password accessed intrusion where the attacker entered through the front door using a valid user password.
