Patient information portal Manage My Health says it is experiencing technical difficulties – including sending out blank or contradictory emails – as it works to resolve a cyber breach affecting approximately 125,000 users.
The privately-operated patient portal, used by some general practices around New Zealand, earlier this week confirmed it had identified a cyber security incident involving "unauthorised access" to the "My Health Documents" module in the app late last year.
"Information in the Manage My Health core module, in respect of appointments, prescription in the Health Record function have not been accessed and the portal has been independently confirmed as secure."
The company said approximately 125,000 of its 1.8 million users were affected.
The stolen data originated predominantly from Northland, and included approximately 45 general practices in the region; including clinical discharge summaries and historical clinical referral records between six and eight years old.
A further 355 "referral-originating" GP practices across a number of regions and personal health information uploaded by patients were also affected.
The company said it had received independent confirmation from its cyber security specialists that the current system environment was "secure and operating as intended".
Out of an abundance of caution, the company said it had limited access for users to the United Kingdom, United States, Australia and New Zealand during the incident and "will gradually restore access internationally".
Ransom
ManageMyHealth has begun notifying GPs about which of their patients’ files may have been compromised. (Source: 1News)
Manage My Health obtained an interim High Court injunction on Monday preventing third parties from accessing any stolen data.
The Government had also taken action, with Health Minister Simeon Brown ordering a review into the response to the cyber security breach.
The hackers, who called themselves "Kazu" posted to the Telegram social media app on Sunday morning, demanding the company pay a ransom of US$60,000 (NZ$103,368) within 48 hours. There had since been unverified reports the deadline had been moved to Friday.
All posts referring to the data breach was removed from an account purportedly used by the hacker was removed on Wednesday following the injunction.
Police advised third parties not to engage directly with the criminal hacker group involved.
"Doing so is not in the best interest of those impacted by this incident and can have un-anticipated consequences."
People were also advised that anyone impacted by the breach was not required to contact police as "this has been covered by the Manage My Health report to police".
"However, police should be contacted if there is evidence of misuse of personal information."
All affected users to be contacted by early next week
ManageMyHealth believed between 6% and 7% of the approximately 1.8 million registered users may have been impacted. (Source: 1News)
Direct notifications were sent out to more than half of the affected users on Thursday morning to email addresses Manage My Health's patients had used to register their account. The remaining patients who had not yet been contacted would be notified by early next week.
Manage My Health reiterated its "sincere apology to those impacted by this criminal cyber breach. We understand it is distressing and appreciate the frustration at the timing of communications".
"However, this is a complex exercise which unfortunately cannot be simplified due to the separate cohorts of patients affected which have to be dealt with in different ways," Manage My Health said in an update today on its website."
The company said there was "unfortunately no scenario in which MMH could issue instant notifications to those impacted by the breach".
"Direct notifications have required coordination and clearance from relevant authorities and health sector stakeholders such as GP organisations."
Blank, contradictory emails
Manage My Health said it was aware of technical difficulties experienced by some users, such as receiving emails, accessing the patient portal, and viewing documents in their account.
Meanwhile, it said some email clients "may not have displayed the email correctly, and we have corrected this are sending follow up emails where necessary".
In a small number of cases, it said, users were told they were impacted by the breach, but the app showed they were not.
"This was caused by the timing of the emails being sent, and the app being updated. This has been updated and all users see the correct details in the app after they have been notified," it said.
Manage My Health said its website had seen a large increase in traffic but was "standing up well".
"We increased capacity as much as possible at short notice to accommodate expected volumes. While some users have experienced some slowness, the application has been operational, and most users are getting the information they need.
"We ask people to have patience please and to not access the website unless they need to until this notification process is complete."
Anyone with inquiries was urged to contact the Manage My Health team via a direct message through social media or at info@managemyhealth.co.nz.
Allegation of prior security breach
The Office of the Privacy Commissioner confirmed on January 7 that it had received an email via their enquiries inbox from an anonymous source in June 2025 alleging names, email addresses and passwords were exposed on the Manage My Health platform.
Manage My Health today said it had investigated the matter at the time and did not find a breach.
"However, out of an abundance of caution, we forced password resets on the users concerned. We also reinforced that two factor authentication is available to users of Manage My Health for them to use to enhance the security of their access to the portal."
It said a forensic investigation into the cause of the breach was ongoing.
"We also had an independent vulnerability application test conducted which confirmed the current system environment is secure, and therefore can offer an assurance that the breach was swiftly contained."
An 0800 number has been established for impacted individuals seeking support and assistance.
SHARE ME