SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach MANAGEMYHEALTH-DAT 2026-05-27

ManageMyHealth: Preventable Breach Exposes 99,416 NZ Patient Records

"ManageMyHealth, the patient portal behind New Zealand's largest health data breach, was warned about the security flaws that enabled the December 2025 intrusion but failed to act, according to inquiry findings released…"

ManageMyHealth, the patient portal behind New Zealand's largest health data breach, was warned about the security flaws that enabled the December 2025 intrusion but failed to act, according to inquiry findings released today by Privacy Commissioner Michael Webster. The attack compromised 99,416 patient records, with 91% of victims concentrated in Northland, and has been formally described as preventable.

What Happened

The Privacy Commissioner's inquiry, released alongside a parallel technical review by cybersecurity firm CyberCX, concluded that both ManageMyHealth and Health NZ breached the Privacy Act by failing to maintain reasonable security safeguards. Webster announced his intention to issue compliance notices, the strongest enforcement tool available to his office, to both organizations. Researchers characterized the incident as "neither technically sophisticated, nor particularly uncommon," underscoring that the company had been alerted to the underlying weaknesses prior to the intrusion but did not remediate them in time.

ManageMyHealth, a privately owned company within the Cereus Health Group, confirmed 99,416 individuals were impacted, revised down from initial estimates of roughly 127,000. The bulk of affected patients, around 86,000, were enrolled in Northland, with many likely to be Māori, raising specific equity and harm concerns flagged by the Commissioner.

What Was Taken

Media reporting based on published data samples indicates the stolen files included clinical notes, intimate imagery, and scans of passports uploaded by users. The Commissioner warned that the exposure of this category of sensitive health and identity information could drive serious downstream harm, including blackmail, extortion, and identity fraud. Of ManageMyHealth's approximately 1.8 million registered users, the company estimates between 6% and 7% may have been impacted, with the confirmed victim count sitting just under 100,000.

Why It Matters

This incident is one of the largest and most damaging cybersecurity events in New Zealand's history and sets a regulatory precedent: a national privacy regulator has formally found a healthcare data custodian and a public health agency in breach of statutory security obligations following advance warnings. The CyberCX technical review concluded ManageMyHealth was unprepared for an incident of this nature, had significant control failings across its technology environment, and was likely not aligned with health information security framework requirements before the attack. For defenders, the case validates that ignored vulnerability disclosures and audit findings in the healthcare sector now carry direct enforcement consequences, not just reputational risk.

The Attack Technique

While full technical attribution has not been publicly released, the inquiries make clear the intrusion exploited known, previously flagged security flaws rather than novel zero-day capabilities. CyberCX assessed the technology environment as containing significant control failings and as misaligned with New Zealand's Health Information Security Framework (HISF). The researchers' characterization of the attack as "neither technically sophisticated, nor particularly uncommon" suggests commodity techniques against an inadequately hardened patient portal, consistent with web-application and credential-driven intrusions seen across the healthcare sector globally.

What Organizations Should Do

  1. Triage prior security warnings immediately. Treat ignored pentest findings, vulnerability disclosures, and audit gaps as active risk; the ManageMyHealth case shows regulators will weigh prior warnings heavily in enforcement.
  2. Align to sector-specific frameworks. Healthcare custodians should formally benchmark against the Health Information Security Framework (HISF) or equivalent national standards, and close documented gaps on a tracked timeline.
  3. Harden patient portals. Apply defense-in-depth on internet-facing patient systems: MFA enforcement, rate limiting, web application firewalls, and continuous external attack surface monitoring.
  4. Inventory and minimize sensitive data. Identify and reduce storage of high-harm uploads such as passport scans and intimate imagery; apply strong encryption and short retention windows where retention is required.
  5. Prepare an incident response playbook. CyberCX cited ManageMyHealth as unprepared; healthcare providers should run tabletop exercises covering breach notification, GP coordination, and regulator engagement.
  6. Establish independent governance. Consider standing up an external advisory board for clinical governance, privacy, and security, as ManageMyHealth has now done post-incident, before a breach forces the move.

Sources: ManageMyHealth warned before massive data breach – inquiry