New Zealand health technology provider Manage My Health suffered a major data breach in late December, with attackers exfiltrating the medical notes of more than 120,000 patients. The incident, confirmed by the company and covered extensively by RNZ, has prompted a Health Minister-ordered review that has now formally wrapped up, with findings expected to be released publicly. Affected patients describe a shattered trust in digital health storage and limited follow-up communication from the provider.

What Happened

In December, threat actors compromised systems operated by Manage My Health, a patient portal and digital records provider widely used across New Zealand general practice. The breach went public near the end of December, with many patients only receiving official notifications nearly two weeks later via email. Manage My Health's notice instructed users to reset passwords and enable two-factor authentication, but provided little additional remediation guidance. Four months on, affected individuals report no further communication from the provider, and the Health Minister directed an independent review into the incident, the outcome of which is now imminent.

What Was Taken

The stolen dataset is highly sensitive and squarely identifying. Reporting confirms the exposure of:

• Full medical notes, including detailed clinical records
• Names, dates of birth, and physical addresses
• Phone numbers
• National Health Index (NHI) numbers, the unique identifier used across the New Zealand health system
• Records relating to traumatic medical events, including injury histories from serious accidents

The combination of clinical detail and the NHI number is particularly damaging because the NHI follows a patient across every interaction with the New Zealand health system, making it functionally impossible to "rotate" the way a password or card number can be replaced.

Why It Matters

Healthcare data is among the most valuable categories on criminal markets because it is durable, deeply personal, and rarely revocable. A leaked password can be changed; a leaked diagnosis cannot. For the 120,000 affected patients, the exposure of medical notes alongside identifiers like the NHI creates long-tail risks: targeted phishing using accurate clinical context, insurance and benefits fraud, extortion of individuals with sensitive conditions, and identity abuse against a population that cannot meaningfully change its identifiers. The breach also lands in a moment where New Zealand is expanding the categories of personal information collected at health touchpoints, including new sexual-history screening questions for blood donors. Public confidence in how that data is stored is now demonstrably fragile, and one breach in the ecosystem corrodes trust across the rest of it.

The Attack Technique

Manage My Health and reviewing authorities have not publicly disclosed the initial access vector or the specific tradecraft used by the attackers. The provider's post-incident guidance to customers, focused on password resets and enabling two-factor authentication, is consistent with patterns seen in credential-driven intrusions against patient portals, but no attribution or technique has been confirmed in public reporting. The pending review is expected to clarify how the intrusion occurred, how long attackers had access, and whether existing controls were adequate for the sensitivity of the data held.

What Organizations Should Do

Healthcare providers and the third-party platforms that handle clinical data should treat the Manage My Health incident as a forcing function for the following defensive steps:

1. Enforce phishing-resistant MFA on all patient-portal and clinician access, including admin and integration accounts, not only after a breach but as a baseline.
2. Encrypt clinical records at rest with tightly scoped key access, so that a single account compromise does not yield full-text medical notes.
3. Reduce data retention and copy sprawl: clinical platforms routinely retain data far beyond operational need; aggressive minimisation reduces blast radius.
4. Instrument egress monitoring for unusual bulk reads or exports of patient records, with alerting tuned for after-hours and atypical query patterns.
5. Pre-build a breach communications playbook that goes beyond "reset your password" and includes credit/identity monitoring, dedicated support channels, and proactive outreach within days, not weeks.
6. Conduct third-party risk reviews of every vendor touching health records, with contractual rights to audit security controls and breach response readiness.

Regulators in jurisdictions with single-identifier health systems should also revisit how cleanup and remediation work when the leaked identifier (here, the NHI) cannot be revoked or reissued at scale.

Sources: Questions grow over safety of personal health data | RNZ News