Auckland, January 5, 2026
New Zealand’s Health Minister has ordered a full review into a cybersecurity breach at ManageMyHealth, the nation’s leading digital patient portal, after hackers reportedly demanded a US$60,000 ransom.
The Breach and Its Potential Impact
Table of Contents
The incident, which came to light after communication with hackers via the Dark Web, potentially affects up to 8% of ManageMyHealth’s 1.8 million customers. It raises serious questions about the security of sensitive health data held by private technology providers.
ManageMyHealth immediately notified the National Cyber Security Centre and the Ministry of Health, and began contacting General Practices (GPs) and the public to inform them of the potential data exposure.
Government Response and the Commission of Inquiry
Health Minister Simeon Brown directed the Acting Director-General of the Ministry of Health, Celia Wellington, to establish a Commission to thoroughly review all aspects of the breach.
“Patient data is incredibly personal, and whether it is held by a public agency or a private company, it must be protected to the highest standards,” Brown stated.
Review Objectives
The review will focus on three key areas: assessing the cause(s) of the incident, evaluating the adequacy of existing data protections and the response to the breach, and recommending improvements to prevent similar incidents in the future.
The Commission is expected to begin its work no later than January 30, 2026.
Broader Cybersecurity Concerns
This incident is the latest in a series of cybersecurity breaches impacting New Zealand organizations, including those within the health sector. Attacks on District Health Boards (DHBs), private clinics, and technology providers have highlighted the increasing sophistication of cyber threats and the vulnerability of systems holding sensitive information.
Responses to previous breaches have typically involved isolating affected systems, engaging with the National Cyber Security Centre (NCSC), and transparent public communication. However, these incidents have also revealed gaps in preparedness, reliance on legacy systems, and inconsistent cybersecurity standards.
ManageMyHealth’s Response
ManageMyHealth Executive Chairman Vino Ramayah expressed regret over the breach and stated the company is working closely with cybersecurity experts and government agencies to understand the full extent of the incident.
Ramayah said the company acted swiftly upon detecting suspicious activity and has increased security measures, including enhanced monitoring, additional authentication layers, and a review of all third-party integrations.
“We understand the trust that patients place in us. We are committed to doing everything necessary to restore that trust. We will fully cooperate with the government-commissioned Review and implement any recommendations arising from it,” he said.
Health New Zealand has confirmed its own systems were not affected and is working with primary care providers to assess the potential impact on patients. General practices remain open and continue to provide services.
