New Zealand Health Portal Breach Exposes 126,000 Patients

New Zealand's largest patient portal has confirmed that between 108,000 and 126,000 users may have had their medical information accessed after a cyber attack over the holiday period. A ransomware group calling itself "Kazu" is demanding $60,000 by January 15 to prevent publication of the stolen data.

ManageMyHealth, which serves approximately 1.8 million registered users across New Zealand, disclosed the breach on January 1 after detecting unauthorized access on December 30. The company has commenced legal action in an attempt to prevent the attackers from leaking patient information.

Scope of the Compromise

Independent forensic analysis determined that attackers compromised only one module within the platform—Health Documents—rather than the entire system. This module stores uploaded medical documents, test results, and other health records that patients and providers share through the portal.

The Kazu group claims to have exfiltrated approximately 108 gigabytes of data totaling more than 400,000 files. Based on ManageMyHealth's registered user base, the affected population represents roughly 6-7% of total accounts.

The timing couldn't have been worse. Most GP practices across New Zealand were closed for the holiday period when the breach was discovered, leaving doctors unable to warn patients or assess their own exposure. General Practitioners' College president Dr. Luke Bradford said he only learned of the breach through media reports—calling it "terribly disappointing."

What Was Exposed

ManageMyHealth hasn't released a complete inventory of compromised data types, but Health Documents would typically contain:

• Specialist referral letters
• Lab results and diagnostic imaging reports
• Medication histories
• Clinical notes and correspondence between providers
• Patient-uploaded records

For affected users, the exposure potentially includes sensitive diagnoses, mental health records, and other information patients reasonably expected to remain private between themselves and their healthcare providers.

Minister Responds, Downplays Clinical Impact

Health Minister Simeon Brown was briefed on January 1 and called the breach "concerning," while emphasizing that Health NZ systems—including the separate My Health Account platform—were not affected.

"There is no clinical impact on patient care as a result of this cyber incident, and health services continue to operate as normal," the Minister's statement read.

That's technically accurate. Patients can still receive care. But the statement sidesteps the real harm: intimate health information is now in the hands of criminals who've already demonstrated willingness to exploit it for profit. For patients whose records were stolen, the "clinical impact" will be felt in their personal and professional lives for years.

Ransomware Targeting Healthcare

Healthcare breaches have grown increasingly common as attackers recognize that medical data commands premium prices and patients are especially vulnerable to extortion. The sector's combination of legacy systems, tight budgets, and life-or-death operational requirements makes it an attractive target.

Kazu is a relatively new entrant in the ransomware space, though the group's tactics—holiday timing, relatively modest ransom demands, and direct patient data threats—suggest operators with experience in healthcare extortion.

The $60,000 demand is notably lower than typical ransomware asks, which often reach into the millions. That pricing strategy may be intentional: a sum small enough that paying might seem rational, while large enough to make the campaign worthwhile.

ManageMyHealth's Response

The company says it has engaged international forensic consultants, reported the incident to the Privacy Commissioner and New Zealand Police, and believes the intrusion has been contained. A dedicated helpline for affected practices and users is expected by early next week.

"Manage My Health is commencing legal action to protect clients' data," the company stated in its January 3 update.

Legal action against criminal ransomware operators is typically more symbolic than effective. The attackers almost certainly operate from jurisdictions beyond New Zealand's legal reach. But it may provide some procedural tools if the data appears on leak sites or dark web forums.

What Affected Users Should Do

Patients who've used ManageMyHealth should assume their information may have been compromised and take precautions:

1. Watch for targeted phishing—Attackers with health data can craft highly convincing scam messages referencing real medical conditions
2. Monitor financial accounts—Health records often contain enough personal data to enable identity theft
3. Be alert to extortion attempts—Criminals sometimes contact patients directly, threatening to expose sensitive diagnoses
4. Document everything—If harm occurs, records of the timeline will matter for any future claims

For now, 126,000 New Zealanders are waiting to see whether their most private health information ends up posted publicly—a decision that rests entirely with criminals operating under a deadline two weeks away.