Imagine waking up to the news that your personal health information has been compromised in a massive cyberattack. That’s exactly what happened to thousands of patients in New Zealand when Manage My Health, a widely-used online patient portal, fell victim to a major breach. But here’s where it gets even more alarming: the attack wasn’t just a minor glitch—it exposed sensitive data from around 125,000 users out of its 1.8 million registered base. This isn’t just a tech issue; it’s a stark reminder of how vulnerable our most private information can be.
The breach, which occurred on December 30, 2025, targeted the 'My Health Documents' module of the app, where patients and healthcare providers store critical medical records. The incident was publicly disclosed on January 1, 2026, after the company was notified of unauthorized access. In response, Manage My Health sprang into action, securing the platform, bringing in cybersecurity experts, and alerting the Office of the Privacy Commissioner. But this is the part most people miss: despite these swift measures, the damage was already done.
The compromised data included clinical discharge summaries, historical referral records dating back six to eight years, and health-related documents uploaded by patients. Controversially, the breach primarily affected 45 general practices in Northland, though news reports suggest that 355 other GP practices were indirectly impacted. This raises a critical question: how safe is our data when even specialized platforms like these can be breached?
Adding fuel to the fire, the ransomware group Kazu claimed responsibility for the attack, demanding a $60,000 ransom within 48 hours. While Manage My Health obtained a High Court injunction to prevent the stolen data from being accessed by third parties, the group’s initial release of sample data sent shockwaves through the community. As of now, the deadline has passed, but no further leaks have been reported. Still, the incident leaves us wondering: should companies ever pay ransoms to cybercriminals?
Governments worldwide are urging firms to resist such demands, with some countries even banning ransom payments outright. Manage My Health has publicly apologized for the distress caused, but the incident highlights a broader issue: the growing sophistication of cyberattacks and the challenges of safeguarding sensitive information. Here’s the real question for you: How much trust should we place in digital health platforms, and what more can be done to protect our data? Share your thoughts in the comments—this is a conversation we all need to have.
