ManageMyHealth has confirmed that a cyber-security breach resulted in unauthorised access to patient health documents from its online portal, with investigations indicating that more than 120,000 patient files may have been impacted. The breach is being linked to a ransomware-style data-extortion actor known as “Kazu”, which has publicly claimed responsibility.
ManageMyHealth said forensic specialists have identified the general practices whose patients’ records were accessed, and coordination is now underway with Health New Zealand to begin direct notifications to affected individuals. General practices remain open and clinical services continue as normal.
The company said the breach was contained after it was detected on 30 December 2025, and that independent security experts have since reviewed the platform and confirmed that it is safe to operate. The incident has been reported to the New Zealand Police, the Office of the Privacy Commissioner, the National Cyber Security Centre, and Health New Zealand.
Preliminary assessments indicate that around six to seven percent of ManageMyHealth’s 1.8 million registered users may have been affected. The affected material is understood to relate to a specific module containing uploaded health documents such as referral letters, discharge summaries, laboratory results, and other medical correspondence.
Independent analyses of files posted by the threat actor online suggest that some of the accessed documents include personally identifiable information, including names, addresses, contact details, and National Health Index (NHI) numbers. The full extent of what was accessed or exfiltrated is still being verified, and ManageMyHealth has not publicly confirmed whether full data sets were downloaded.
The actor has also made statements about how the breach occurred. In messages shared with an independent analyst, the actor claimed it was linked to what they described as a “broken access control vulnerability”. No technical evidence was provided to support this claim, and investigators have not confirmed the cause. Analysts note that statements from extortion actors should be treated cautiously until validated through formal forensic reporting.
Health New Zealand said its own clinical systems were not affected by the breach, and that the incident is limited to the privately-operated ManageMyHealth platform. An incident management process has been activated to support practices and coordinate the notification programme.
The actor calling itself “Kazu” has claimed that it obtained large volumes of patient files and has made extortion demands, consistent with double-extortion activity seen in other international cases. Attribution remains under investigation and authorities have not confirmed further identifying details about the group or its operators.
ManageMyHealth said legal steps are being taken to prevent the disclosure or misuse of any stolen material while investigations continue.
Patients who are affected are expected to be contacted directly by ManageMyHealth and their general practice. The company has advised users to reset their passwords and enable multi-factor authentication as a precaution.
This is a developing case and further updates are expected as forensic validation and notifications progress.
