Full Report
Government 'incredibly' concerned about breach potentially affecting more than 100,000 patients New Zealand health minister Simeon Brown has ordered a review into the cyberattack at ManageMyHealth, which threatens the data of hundreds of thousands of Kiwis.…
Analysis Summary
# Incident Report: ManageMyHealth Data Breach
## Executive Summary
A cyberattack targeted ManageMyHealth, a major New Zealand health data platform, leading to a significant data breach potentially affecting over 100,000 patients. The attacker claimed to have stolen hundreds of thousands of sensitive files and demanded a ransom. In response, the New Zealand government ordered a comprehensive review, and the company engaged forensics experts while seeking legal injunctions against data dissemination.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the attacker's claim was posted December 30, and government action followed around January 5, 2026.
- **Incident Date:** Attack likely occurred shortly before December 30, 2025.
- **Affected Organization:** ManageMyHealth
- **Sector:** Healthcare Technology / Health Information Management
- **Geography:** New Zealand
## Timeline of Events
### Initial Access
- **Date/Time:** On or before December 30, 2025.
- **Vector:** Not explicitly detailed, but implied through a successful intrusion allowing data theft.
- **Details:** Attacker "Kazu" claimed responsibility via a cybercrime forum post.
### Lateral Movement
- Unknown. The focus is on data exfiltration following initial access.
### Data Exfiltration/Impact
- **Stolen Data Claims:** Attacker claimed to have stolen over 428,000 files including passport scans, patient conditions, and nude images.
- **Confirmed Scope:** Affecting an estimated 6-7% of ManageMyHealth's 1.85 million users, amounting to over 100,000 patients.
- **Extortion Attempt:** Kazu demanded a $60,000 ransom, threatening to release the data by January 15, later accelerating the deadline to 48 hours (around January 5, 2026).
### Detection & Response
- **Detection:** Discovery was likely internal or reported via the attacker's public claim (December 30).
- **Response Actions:** ManageMyHealth confirmed containment, engaged independent cybersecurity specialists, the Privacy Commissioner, NZ Police, and Health New Zealand. They also implemented additional monitoring and security improvements, and sought an injunction to prevent data dissemination.
## Attack Methodology
- **Initial Access:** Not detailed (Assumed compromise of a system/network point).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Gained access to and copied over 428,000 files.
- **Exfiltration:** Data was prepared for sale on a cybercrime forum, with snippets released via file-sharing sites.
- **Impact:** Unauthorized access/downloading of highly sensitive patient health records, potentially leading to identity theft and extortion.
## Impact Assessment
- **Financial:** Not specified, but included a $60,000 ransom demand. Significant costs associated with forensic investigation and remediation are expected.
- **Data Breach:** Highly sensitive patient health data, including passport scans, medical conditions, and personal images, potentially affecting over 100,000 patients.
- **Operational:** Disruption to platform access and immediate need for heightened security reviews across the national health system infrastructure.
- **Reputational:** Significant concern from the government ("incredibly concerning") and loss of trust regarding the security of personal national health data.
## Indicators of Compromise
- **Network indicators:** Cybercrime forum post (December 30), Telegram activity (January 3), file-sharing links referenced by Kazu (now defunct/flagged).
- **File indicators:** (No specific file hashes provided in the article)
- **Behavioral indicators:** Ransom demand followed by public threats of data release.
## Response Actions
- **Containment:** Company believes the incident is contained; additional monitoring implemented.
- **Eradication steps:** Digital forensics experts engaged to comb evidence and confirm the extent of access/downloading.
- **Recovery actions:** Cooperation with Police, Privacy Commissioner, and Health New Zealand; user advice disseminated (password changes, MFA).
## Lessons Learned
- The high value of centralized health data makes private platforms prime targets, requiring security standards equal to public bodies.
- The necessity of rapid legal intervention (injunctions) to mitigate the immediate damage from public data release threats.
- Despite data handling efforts, patient data remains vulnerable, necessitating improved national handling protocols.
## Recommendations
- Conduct an urgent, comprehensive government review of ManageMyHealth's security posture, controls, and data safeguards.
- Mandate multi-factor authentication (MFA) implementation for all users accessing sensitive health platforms.
- Review internal data retention policies to minimize the volume of highly sensitive historical data stored.
- Enhance immediate forensic analysis capabilities or retain standing contracts for rapid response to data exfiltration confirmation.