Full Report
The International Online Crime Coordination Centre has been tracking the hacker following the breach. "We're just mindful that we're still looking into this individual, and we don't want to mistakenly drive this person underground by making them aware that there are these kinds of investigations ongoing into them." Scott said they wanted to see the person behind the attack arrested. "We definitely want justice," he said. "We want this person to be looked into and this person to be arrested as a result of their actions. They've definitely committed a plethora of crimes there, and this isn't the only attack that they've done. They've attacked numerous other institutions from across the entire globe."
Analysis Summary
# Incident Report: Manage My Health Data Breach & Attacker Identification
## Executive Summary
The privately-owned patient records company, Manage My Health (MMH), suffered one of New Zealand's largest privacy breaches, resulting in unauthorized access to sensitive health data. The threat actor, using the pseudonym "Kazu," initially demanded a US$60,000 ransom. International cybersecurity groups successfully tracked and identified the individual responsible. Response efforts, led by law enforcement and national cybersecurity bodies, are focused on the subsequent investigation and pursuit of legal action for the perpetrator's global range of cybercrimes.
## Incident Details
- Discovery Date: Not explicitly stated, but IOC3 was tracking the individual leading up to the article date.
- Incident Date: Prior to January 30, 2026 (implied by ongoing investigation).
- Affected Organization: Manage My Health (Privately owned patient records company).
- Sector: Healthcare/Patient Records Management.
- Geography: New Zealand (Primary impact/data source).
## Timeline of Events
### Initial Access
- Date/Time: Unknown/Prior to news reporting (Late January 2026).
- Vector: Not explicitly stated in the summary provided, but resulted in gaining access to health data.
- Details: Attackers gained access to health data held by the MMH portal.
### Lateral Movement
- Date/Time: Unknown.
- Vector: Unknown.
- Details: Implied by the scope of data access and subsequent exfiltration attempt.
### Data Exfiltration/Impact
- Date/Time: Unknown.
- Vector: Data theft/Extortion.
- Details: Stolen health data was held for ransom (US$60,000 demand). Samples of leaked information were published online by Kazu before being removed following a High Court injunction.
### Detection & Response
- Date/Time: Ongoing as of January 30, 2026.
- Vector: External investigation by IOC3 and internal reporting/cooperation with authorities.
- Details: IOC3 tracked and identified the alleged perpetrator ("Kazu"). Manage My Health secured a High Court injunction against sharing/accessing data. NCSC is working with Police and Health New Zealand on attribution and impact reduction.
## Attack Methodology
*Note: As the article focuses on the identification of the attacker rather than TTPs used against MMH, the following are inferred or based on standard ransomware/extortion attack profiles.*
- Initial Access: Unknown (Likely network intrusion or compromise of credentials).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Specific health data from the patient records company.
- Exfiltration: Data was taken with the intent to monetize via ransom.
- Impact: Data exposure and extortion attempt.
## Impact Assessment
- Financial: Ransom demanded (US$60,000). Ongoing costs associated with breach response and investigation.
- Data Breach: Sensitive health data belonging to New Zealand patients was compromised.
- Operational: Management of the breach and legal proceedings following the injunction.
- Reputational: Described as "one of the biggest in New Zealand's history."
## Indicators of Compromise
- **Network indicators (defanged):** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Threat actor, calling themselves "Kazu," demanded a ransom and previously posted samples of stolen data online. Confirmed to have attacked "numerous other institutions from across the entire globe."
## Response Actions
- **Containment measures:** Manage My Health obtained a High Court injunction preventing the access or sharing of stolen data. Posts referencing MMH were removed from Kazu's page.
- **Eradication steps:** Not detailed, though NCSC is working to reduce the impact and prevent further exploitation.
- **Recovery actions:** Law enforcement tracing and investigation initiated based on evidence shared by IOC3. NCSC is engaged in "attribution" to confirm actor identity.
## Lessons Learned
- **Key takeaways:** Cybersecurity incidents involving sensitive health data carry extreme risk. Paying ransoms ("Paying that ransom doesn't guarantee that the data isn't going to be leaked") is discouraged in favor of involving law enforcement.
- **What could have been done better:** Not specified, but underscores the challenges in attributing and apprehending cybercriminals operating globally (as Kazu reportedly attacked numerous international institutions).
## Recommendations
- Increase security measures focused on the protection of extremely sensitive personal data held by healthcare institutions.
- Adhere to law enforcement guidelines when managing extortion attempts rather than yielding to ransom demands.
- Continued investment in threat intelligence sharing, partnering with organizations like IOC3 to track persistent, transnational actors like Kazu.