[agents/model-providers] [xai-auth] bootstrap config fallback: no config-backed key found

title: "Intel Brief: Manage My Health New Zealand — Kazu Ransomware Healthcare Attack" date: 2026-04-04 slug: manage-my-health-nz-ransomware-86k-patient-records

Intel Brief: Manage My Health New Zealand — Kazu Ransomware Healthcare Attack

In early 2026, the Kazu ransomware group executed a significant attack against Manage My Health, New Zealand's largest patient portal, exposing approximately 86,000 patient medical records spanning the Northland region and beyond. The attackers demanded a ransom of US$60,000 (NZD$105,000) for encrypted data and non-disclosure of stolen files. The breach affected 6-7% of the platform's 1.8 million registered users, with 45 GP practices in Northland and critical healthcare documents including discharge summaries, referral documents, and patient-uploaded medical files compromised. The incident exposed significant security failures in healthcare IT infrastructure, including improper email authentication configuration (DMARC), delayed patient notification procedures, and insufficient access controls — representing a critical vulnerability in New Zealand's healthcare data management systems.

What Happened

Kazu ransomware group successfully compromised Manage My Health's infrastructure, encrypted patient data, and exfiltrated medical records. The attack affected a significant portion of healthcare providers across New Zealand's Northland region, which represented the only region using Manage My Health for patient communication at the time.

Confirmed Facts:

• Manage My Health is New Zealand's largest patient portal serving 1.8 million registered users
• Kazu ransomware group executed the attack and demanded ransom
• Ransom demand: US$60,000 (NZD$105,000) for data decryption and non-disclosure agreement
• Approximately 86,000 patient records were exposed
• Northland region heavily impacted: over 70% of affected patients nationwide
• 45 GP practices in Northland were affected
• Breach affected 6-7% of total registered users
• Both living and deceased patients' records were compromised
• Platform remained partially unavailable during notification period
• Patient support lines were overwhelmed with inquiries

Attack Timeline:

1. Initial Compromise (date not disclosed): Kazu gained unauthorized access to Manage My Health systems and deployed ransomware.

2. Data Encryption & Exfiltration: Attackers encrypted patient data and copied medical records to attacker-controlled infrastructure.

3. Ransom Demand: Kazu demanded payment with deadline; company initially remained tight-lipped about payment status.

4. Patient Notification (delayed): Manage My Health began notifying affected patients of the breach, though notifications were incomplete and delayed due to technical issues.

What Was Taken

Confirmed Data Exposure:

• Hospital discharge summaries
• Patient-uploaded documents and attachments
• Referral documents from healthcare providers
• Complete patient medical records
• Patient contact information (names, addresses, phone numbers)
• Medical history and treatment information
• Doctor notes and clinical assessments
• Records of deceased patients

Volume of Exposure:

• Total patient records: 86,000+
• Affected user percentage: 6-7% of 1.8 million registered users
• Geographic concentration: Northland region (70%+ of affected patients)
• Healthcare practices affected: 45 GP practices in Northland

Sensitivity Assessment: Critical. Exposed medical records include:

• Complete personal health information enabling identity theft and medical fraud
• Medical conditions, medications, and treatment history enabling social engineering and blackmail
• Doctor-patient communications revealing medical conditions and personal health information
• Hospital discharge summaries with diagnostic information and treatment details
• Information sufficient for targeted phishing, medical identity theft, and insurance fraud

Deceased Patient Records: The compromise of records for deceased patients raises additional privacy and family notification concerns beyond living patients.

Why It Matters

This breach represents a critical vulnerability in New Zealand's healthcare data management infrastructure and reveals systemic failures in healthcare IT security and incident response.

Strategic Significance:

1. Healthcare System Vulnerability: New Zealand's largest patient portal — a critical healthcare infrastructure component serving 1.8 million users — was successfully compromised and encrypted by ransomware operators, demonstrating vulnerability of centralized healthcare IT systems.

2. Security Configuration Failures: Cybersecurity experts identified basic security failures including improperly configured DMARC email authentication protocols, suggesting inadequate security practices and controls.

3. Delayed Incident Response: The platform remained unable to notify patients effectively due to technical issues and technical complexity, creating a gap during which additional data could have been compromised.

4. Regional Healthcare Disruption: Northland's reliance on a single vendor (Manage My Health) for patient communication created concentrated risk; 45 GP practices lost access to patient portals simultaneously.

5. Critical Patient Vulnerability: Over 86,000 patients lost access to their own medical records during treatment and recovery, with potential clinical impact for patients requiring ongoing care.

6. Ransomware Monetization: The $60,000 ransom demand and eventual payment (status unclear) validate the attackers' approach and incentivize continued targeting of healthcare systems.

The Attack Technique

Specific attack methodology and initial access vector are not disclosed in available reporting.

Confirmed Facts:

• Attackers gained unauthorized access to Manage My Health infrastructure
• Ransomware was deployed across systems, encrypting patient data
• Patient data was exfiltrated to attacker-controlled infrastructure prior to encryption
• Email authentication (DMARC) was improperly configured, suggesting potential email-based attack vector or compromised email accounts

Not Disclosed: The source material does not provide details on initial access method (phishing, exploitation, compromised credentials, supply chain attack, etc.), persistence mechanisms, lateral movement techniques, or specific vulnerabilities exploited. Attack chain and methodology remain unknown in available reporting.

What Organizations Should Do

For Healthcare IT & Patient Portal Operators:

1. Immediate Security Audit of Email Authentication — Audit DMARC, SPF, and DKIM configurations across all email services. Implement strict email authentication policies to prevent spoofing and phishing attacks that could lead to credential compromise.

2. Ransomware Encryption Detection & Prevention — Deploy continuous file integrity monitoring and anomalous activity detection to identify ransomware encryption attempts in real-time. Implement immutable backups and air-gapped backup systems that prevent ransomware encryption of recovery data.

3. Patient Portal Access Control Audit — Review all administrative access, API integrations, and service account permissions. Implement zero-trust architecture and multi-factor authentication for all privileged access.

4. Incident Response & Communication Plan — Establish pre-tested incident communication procedures that enable rapid patient notification without requiring manual systems to remain operational. Pre-stage notification templates and communication channels independent of compromised systems.

5. Data Segmentation & Encryption — Implement encryption for patient data at rest and in transit. Segment patient portal systems from administrative and provider systems to limit lateral movement if one system is compromised.

6. Third-Party Vendor Risk Assessment — If systems are managed by third-party vendors, conduct security audits, require SOC 2 Type II compliance, and establish contractual requirements for incident response timelines and notification procedures.

For Healthcare Providers Using Patient Portals:

• Maintain independent backup copies of critical patient records
• Establish alternative communication channels for patient notification (SMS, phone, mail) if portal systems become unavailable
• Monitor patient portal access patterns for unauthorized activity
• Implement staff training on phishing and credential compromise risks

For New Zealand Healthcare Regulators:

• Require security assessments and certifications for all patient-facing healthcare IT systems
• Establish mandatory incident response timelines and patient notification requirements
• Consider data localization requirements to ensure sensitive health information remains within New Zealand

Sources: Ransomware Attack on NZ's Manage My Health: 86K Patient Records Breached (2026)