ManageMyHealth was warned about security flaws that contributed to the country's largest health data breach, yet failed to act before a hacker stole the records of nearly 100,000 patients, a review has found.
The theft of the data was described as preventable, alongside being "neither technically sophisticated, nor particularly uncommon" by researchers in a report released today.
The Privacy Commissioner has also deemed that both ManageMyHealth and Health NZ breached the Privacy Act over what led up to the cyberattack.
Michael Webster said he intended to issue compliance notices – the strongest enforcement tool available to him – to both organisations after finding they had failed to have reasonable security safeguards in place to protect patient information.
His inquiry, released this morning, is one of two probes into the December breach – one of the largest and most damaging cybersecurity incidents in New Zealand history.
"This incident released the sensitive health information of nearly 100,000 New Zealanders and has caused serious anxiety and distress for many people," Webster said.
ManageMyHealth believed between 6% and 7% of the approximately 1.8 million registered users may have been impacted. (Source: 1News)
"The effects are concentrated in Northland with around 91% of affected patients based there, many of whom are likely to be Māori."
The bulk of those affected – around 86,000 – were patients enrolled in Northland.
ManageMyHealth, a privately owned company within the Cereus Health Group, confirmed 99,416 individuals were impacted – down from initial estimates of roughly 127,000.
A second report by cybersecurity firm CyberCX, commissioned by the Ministry of Health, was also completed this month and released today.
It found ManageMyHealth was unprepared for an incident of this nature, had significant control failings in their technology environment, and was likely not aligned with health information security framework requirements prior to the incident occurring.
Media reporting based on published data samples indicated the stolen files included clinical notes, intimate imagery and scans of passports uploaded by users, which researchers said could drive serious harm, including blackmail and identity fraud.
In a statement, a ManageMyHealth spokesperson again apologised for the breach and the impact it had on "patients, healthcare providers and the wider community".
The company said it had since undertaken a "comprehensive programme of security and operational improvements". It said it had also appointed an independent advisory board to assist with clinical governance, privacy and security.
ManageMyHealth said the affected data had been limited to the "My Health Documents" area of the platform, with no evidence of compromise to core patient portal systems or their integration with GP practice management systems.
The company said it continued to provide support services for affected patients, including a helpline, identity protection services and mental wellbeing support.
A preventable attack
An independent security researcher alerted the Health Ministry to vulnerabilities in ManageMyHealth's API security in November 2025, and the ministry passed the warning on to the company on November 17.
Health Minister Simeon Brown described the breach as "concerning" and said Health NZ was working closely with ManageMyHealth to ensure it was being appropriately addressed. (Source: 1News)
"This has enough similarities to the attack method used by the threat actor to exfiltrate large amounts of data... to have raised serious concerns with ManageMyHealth and should have prompted rapid remediation of these flaws," the report read.
But the review found no evidence that the issues had been addressed before a hacker exploited similar flaws on December 21 to begin downloading patient data from the portal, which serves about 1.8 million registered users and more than 680 health centres.
The same researcher had also raised concerns in December 2022 and, according to their 2025 report, found that while some changes had been made, they were "drastically insufficient and many issues remain unfixed".
The hacker, who used the alias "Kazu", gained access using a legitimate user's login credentials that had been compromised by malware. They then exploited weaknesses in the portal's API to access health documents belonging to other patients.
Patient notification after the breach was also described as "often confused, overly optimistic and inaccurate", according to the report.
Public health organisations and GP practices initially learned of the incident through media reporting, and ManageMyHealth mistakenly notified some unaffected users after beginning notifications before its forensic investigation was complete.
The company's crisis communications were largely CEO-led and described as transparent in principle but "poorly structured in execution".
The review noted the small team responding during the holiday period showed visible fatigue, and questioned whether media interviews should have been conducted at all, given the risk of miscommunication.
The hacker demanded US$60,000 (about NZ$104,000) for the return of the data, with shifting deadlines. The threatened mass release never took place, and a police investigation was ongoing at the time of the report.
The review made 12 recommendations, with seven rated high priority.
ManageMyHealth was told to undertake further penetration testing and a full external compliance assessment.
Health NZ was urged to strengthen its management of third-party suppliers and improve its processes for notifying patients during a data breach. The report noted that ManageMyHealth had appeared to improve its security posture since the breach.
SHARE ME