By Benadeta Mwaura - Reporter
New Zealand, 6 January 2026 - Hackers have demanded a ransom worth US $60,000 (about KSh 7.7 million) from Manage My Health, New Zealand’s largest online patient portal, after gaining unauthorised access to sensitive medical records, sparking urgent reviews by authorities and fears of identity theft among tens of thousands of patients.
The cyberattack, first identified on 30 December 2025, compromised the Health Documents module of the platform, which is used by general practices across the country to manage patient records.
Manage My Health estimates that 6 – 7 per cent of its roughly 1.8 million registered users, about 108,000 to 126,000 people, may have had personal information accessed by the hackers.
Hackers operating under the name “Kazu” warned via the messaging app Telegram that they would release more than 400,000 stolen files if the ransom was not paid within 48 hours.
The deadline arrived early Monday, but so far no additional data has been publicly leaked.
“We know exactly how valuable health data is and how sensitive it can be,” the group wrote in a Telegram post, adding that they are motivated by profit and reputation rather than political goals.
The stolen documents reportedly include medical records, diagnostic results, prescription information, personal contact details and other highly sensitive material, making it potentially more damaging to individuals than typical financial data breaches.
Cybersecurity experts note that health records are often worth 10–50 times more than credit card data on the dark web because they contain identifiers that can fuel identity fraud or extortion.
Government Rejects Paying Ransom
New Zealand Health Minister Simeon Brown has been clear that the government’s position remains that ransom should not be paid.
Brown described the incident as “pretty unacceptable” and ordered an urgent review into the breach, including how it occurred and how data systems can be strengthened.
Authorities are also investigating whether the ransom deadline has been extended and how patients will be notified as part of the Privacy Act process.
Manage My Health said communications about the ransom are a matter for police while the investigation continues.
Urgent Clinical and Patient Concerns
The fallout from the breach has led to concern among general practitioners (GPs), who are being inundated with questions from patients unsure if their details were accessed.
Related articles
General Practice Owners’ Association chair Angus Chambers said GPs are facing increased workloads simply trying to respond to patient anxiety.
An urgent High Court injunction has also been granted to try to prevent third parties from accessing or sharing stolen data, although its practical reach, especially overseas, remains uncertain.
Cybersecurity Experts Warn of Identity Theft and Scams
Experts and online safety organisations are warning New Zealanders to be on high alert for phishing attempts and fraudulent messages that may follow the breach.
Netsafe chief online safety officer Sean Lyons warned people to be “extra cautious about emails containing private information,” as cybercriminals often use leaked data to craft convincing scams.
Medical identity theft, where hackers use sensitive health information to fraudulently obtain medical services or insurance payouts, can go undetected for long periods, making it a particularly harmful consequence of such breaches.
Why Healthcare Systems Are Attractive Targets
Healthcare data is increasingly attractive to cybercriminals because it combines deeply personal information with often weaker security than financial systems.
A recent New Zealand cybersecurity threat report showed that ransomware attacks targeting health organisations have occurred in the past due to lack of robust security controls such as multi-factor authentication and secure backups, lessons that have heightened urgency in the wake of the latest breach.
The Manage My Health incident is now regarded as one of New Zealand’s most serious cybersecurity breaches, rivalling earlier attacks on other systems in terms of sensitivity and scale.
Affected patients are expected to be formally notified as part of legal disclosure requirements under New Zealand’s privacy laws.
Health portals and medical practices are coordinating to support impacted individuals, including setting up helplines and guidance on protection steps.
Meanwhile, the government’s review will examine system vulnerabilities, crisis response protocols, and future regulatory frameworks to protect health data, an issue that has become a growing concern as digital health records become the norm around the world.
