The inset image shows the avatar chosen by Kazu, the hacker claiming to be behind the ManageMyHealth exploit. The avatar image comes from the computer game Cry Of Fear, originally a mod of the Half-Life game with a psychological horror twist in bleak urban settings.

ManageMyHealth patients affected by cyber attack fear missing records, fallout from hack

Author: Anna Leask,
Publish Date: Sat, 10 Jan 2026, 3:51pm

More victims of the ManageMyHealth cyber attack are coming forward, concerned about swathes of data missing from their accounts, the impact on their future prospects if their data is shared – and growing frustration at a lack of information from the platform’s owner.

More than 127,000 users’ health records were compromised in the attack, which ManageMyHealth became aware of on December 30.

The attacker allegedly demanded the company pays a US$60,000 ($104,000) ransom by 5am yesterday to avoid the data being distributed.

“Don’t worry, this will be over soon, and everyone will be satisfied,” the person identifying as the hacker Kazu told the Herald earlier this week through the Telegram messaging app.

ManageMyHealth has been issuing daily updates – but has repeatedly refused to answer specific questions from the Herald about the breach and who is behind it.

The portal, which has 1.85 million users in New Zealand, works in conjunction with one of the two main operating systems GP clinics use.

Medical practitioners use it to share information with their patients – including notes from appointments, test results and prescription information.

A user from Russell told the Herald they had been notified that their ManageMyHealth account had been compromised.

“They advised me to change my password, which I did. The account took such a long time to register, it kept going back to sign in, four times. I nearly gave up and then, hey presto, it came through,” they said.

“It showed me as having notifications going back to March 2025. I have many more than that.

“My account goes back to 2020 but that’s not showing so what’s happened to all those notifications?”

The man thought to advise ManageMyHealth but said there was no way to contact them.

“It’s a bit of a mess really.”

ManageMyHealth says security flaws are fixed as users await details of breach. Photo / Supplied

Another man said both he and his wife’s accounts were compromised and his daughter had just been informed that her GP’s practice was affected.

“She’s still trying to find out if her notes have [been compromised],” he said.

“At that rate, I guess the estimates of those affected may be very optimistic.”

He said the data breach posed several issues, specifically for younger users.

“If you are young, there are many diagnoses which, if out in the public domain, could seriously affect travel, employment, insurance, social interactions and a whole range of other things,” he said.

“If your records get posted, you are inviting blackmail, a mental health crisis, or thieves if you are prescribed restricted drugs.

“I live with considerable pain and am medicated for such. So what happens if all the druggies and crims know what’s here and where I live? People are murdered for less.

“Personally, I would have expected ManageMyHealth to pay the ransom and hope it stops at that.”

The man said the situation was frustrating and worrying and raised questions about the company’s security systems.

“What was the method of hacking? Was the data copied, or have they installed hidden keys … and how long did they have access?"

Health Minister Simeon Brown speaks to media in his Pakuranga electorate office about the ManageMyHealth data breach. Photo / Jason Dorday

The man said he had not heard anything from his GP.

“I have requested all my records be removed from ManageMyHealth and any back-ups … so [I’ll] see what happens there,” he said.

“My daughter requested the same and was told it wasn’t necessary as it was safe now.

“If this progresses and is caused by incompetence, a class action comes to mind … Then it comes down to who is liable … would ManageMyHealth be legally responsible or the GP practices that purchased the product and loaded your records?

“I wasn’t given much choice of regards using ManageMyHealth.”

Meanwhile, a Waikato man is annoyed he is yet to hear if his data had been impacted.

“I had to chase ManageMyHealth to ask ‘what is happening’ and whether my data was involved,” he said.

“They replied [at 2.10am on January 10] and I’ve had no other communication at all.

“Their silence tells me they have no idea of what to do.”

The email stated: “Thank you for contacting ManageMyHealth and for taking the time to raise your support case with us.

“We understand that news of a cyber security incident can be distressing and unsettling, and we sincerely acknowledge the concern and anxiety this situation may have caused you. Please be assured that we are treating this matter with the utmost seriousness.

“Your support case has been logged … If our investigations confirm that your information was involved, you will be contacted directly.

“We wish to reassure you that the majority of users were not affected.”

The rest of the email was a regurgitation of information provided in press releases and links to websites with “the latest confirmed information and answers to common questions”.

“Thank you for your patience and understanding as we continue this work,” said an unnamed support worker from the ManageMyHealth customer care department.

The portal has offices in New Zealand, Australia and India.

Health Minister Simeon Brown has directed the Ministry of Health to investigate the circumstances around the ManageMyHealth data breach.

Anna Leask is a senior journalist who covers national crime and justice. She joined the Herald in 2008 and has worked as a journalist for 20 years with a particular focus on family and gender-based violence, child abuse, sexual violence, homicides, mental health and youth crime. She writes, hosts and produces the award-winning podcast A Moment In Crime, released monthly on nzherald.co.nz