A Tauranga pensioner is worried about identity theft after receiving confirmation her account was affected by the ManageMyHealth cyber breach. 

Kaye McKenzie-Muirson, 71, is one of more than 127,000 users whose health records were compromised in the attack, which ManageMyHealth became aware of on December 30. 

More than 70% of those affected are based in Northland, RNZ reported from Health NZ. Neither Health NZ nor ManageMyHealth has provided figures for the Bay of Plenty or Lakes regions. 

The portal, which has 1.8 million users in New Zealand, works in conjunction with one of the two main operating systems GP clinics use. 

Medical practitioners use it to share information with their patients – including notes from appointments, test results and prescription information. 

RNZ reported the data breach could make victims vulnerable to bank account theft and put them at risk of identity theft or extortion. 

The attacker allegedly demanded the company pay a US$60,000 ($104,000) ransom to avoid the data being distributed. 

McKenzie-Muirson told the Bay of Plenty Times she had been a patient at Te Manu Toroa’s Tauranga Moana City Clinic for 20 years. 

She received an email from ManageMyHealth on January 8 informing her she was affected by the cyber breach. 

The email, sighted by the Bay of Plenty Times, said ManageMyHealth was “sincerely sorry” the incident occurred. 

“We recognise that you trust us with sensitive health information, and we regret that this trust has been impacted,” the email said. 

“We take our responsibility to protect your information seriously, and we sincerely apologise for the distress this has caused you.” 

It recommended she change her password, enable multi-factor authentication and “stay alert” for any unusual account activity. 

The email included an incident summary and steps it had taken, including making logins “more secure”, securing health documents, seeking an injunction in the High Court to prevent third parties from access of dealing with any documents should they be leaked online, and notifying government agencies. 

McKenzie-Muirson said she was concerned about identity theft and her health information being released. 

“I don’t think people are taking it seriously enough.” 

McKenzie-Muirson said she had been to her bank, where staff put a “warning on my account”. 

ManageMyHealth said on January 12 more than half of affected patients had been notified via email. Photo / Michael Craig 

Te Manu Toroa chief executive Pat Cook said to date it was aware of two patients impacted by the cyber breach at its Tauranga and Pāpāmoa clinics. 

Cook said ManageMyHealth was not the current practice management system used for its general practice after it switched to a patient portal called My Indici in October 2024. 

By law, all health information must be retained for 10 years. This meant even if patients were no longer using ManageMyHealth and were using My Indici, their records would still be stored on the original platform, she said. 

Cook said Te Manu Toroa took the privacy and security of patient information seriously. It was monitoring ManageMyHealth updates and would share relevant information when available. 

She said its internal systems remained secure and it had reviewed its processes to ensure continued data protection. 

Cook advised being cautious of phishing emails or suspicious messages asking for personal information. 

A ManageMyHealth statement on January 13 said the company and forensic cybersecurity experts continued to investigate the incident, and new information confirmed a group of patients who were previously notified as potentially affected were not affected by this incident. 

“We are contacting these patients directly to apologise for the concern this notification may have caused and to confirm that their information was not accessed.” 

These patients would now see a green box at the top of their web application when logged in, saying “no impact”. 

“When we first identified the breach, our priority was to contain the breach, act with transparency and to notify potentially affected patients as quickly as possible. 

“As the investigation progressed, we have now confirmed that specialist referral documents were not accessed.” 

It said more than half of affected patients had received a notification email and the process was “ongoing”. 

Contacting the remaining patients would take “some time” given the complexities of securely co-ordinating communications with relevant authorities and data controllers. 

ManageMyHealth was posting regular updates on its website. 

The Bay of Plenty Times attempted to establish the local impact of the breach. 

Health New Zealand Te Whatu Ora said on Wednesday it was unable to provide specific numbers of people affected for the Bay of Plenty and Lakes regions. 

ManageMyHealth was asked on January 6 for a list of Bay of Plenty and Rotorua GP practices where patients had been affected by the breach. 

Managing identity theft 

The New Zealand Government website recommended using the Department of Internal Affairs’ online checklist if you suspect or know that someone is fraudulently using your identity in any way. 

The checklist included five scenarios for why someone might think they may be a victim of identity theft, including having documents lost or stolen. 

It recommended contacting the organisation your identity information was connected with, for example, the Department of Internal Affairs for a stolen passport, or your bank for compromised bank accounts or credit cards. 

“Contact the NZ Police using their non-emergency contact options if you have evidence that your identity has been stolen, have had your wallet or credit card stolen, or suspect a scam.” 

Megan Wilson is a health and general news reporter for the Bay of Plenty Times and the Rotorua Daily Post. She has been a journalist since 2021.