Key Takeaways:
- A major privacy breach occurred in New Zealand in 2025, where hackers accessed health data from the patient portal Manage My Health.
- The hackers, known as ‘Kazu’, demanded a ransom of $60,000 in exchange for not releasing the data on the dark web.
- Over 120,000 New Zealanders’ medical details were potentially exposed, with the breach affecting around 6-7% of Manage My Health’s 1.8 million registered users.
- The company has been criticized for its handling of the breach, with many patients and healthcare providers expressing frustration and disappointment.
- An investigation into the breach is ongoing, with the Ministry of Health and other government agencies involved.
Introduction to the Breach
The recent cyber attack on Manage My Health, a patient portal in New Zealand, has raised significant concerns about data privacy and security. The breach, which occurred in 2025, resulted in the exposure of over 120,000 New Zealanders’ medical details, including names, medical records, test results, and prescription details. The hackers, known as ‘Kazu’, demanded a ransom of $60,000 in exchange for not releasing the data on the dark web. This breach is one of the largest in New Zealand’s history, and it has sparked a nationwide discussion about the importance of data protection and cybersecurity.
The Events Leading Up to the Breach
Manage My Health, founded in 2008, had over 700,000 users by 2020. The company was spun out of Medtech Global into Cereus Holdings, and by 2025, it had grown to over 1.8 million users. However, in July 2025, a digital forensics and cybersecurity company in Nepal reported that a hacker, allegedly ‘Kazu’, had stolen 1.4TB of data from the Nepali Ministry of Education, Science, and Technology. Similar claims were made about attacks on other organizations, including a doctors’ group in Texas and the Colombian Ombudsman. On December 30, 2025, Kazu posted online that they had breached Manage My Health, claiming to have 108GB of data and demanding a ransom.
The Aftermath of the Breach
Following the breach, Manage My Health confirmed that it had been hacked and that an investigation was underway. The company revealed that between 6 and 7 percent of its approximately 1.8 million registered users may have been impacted, and it expected to start notifying affected patients within 48 hours. However, many patients and healthcare providers expressed frustration and disappointment with the company’s handling of the breach. The Office of the Privacy Commissioner, Health NZ, and the police were notified, and the breach was "contained". The Health Minister, Simeon Brown, stated that the breach was concerning but would have no clinical impact on patient care.
The Investigation and Response
The investigation into the breach is ongoing, with the Ministry of Health and other government agencies involved. Manage My Health has filed papers in court seeking an injunction on the publication of the stolen files, and the company has been working to notify affected patients. However, many patients reported receiving conflicting information from the company, and some were told that their data had not been stolen when, in fact, it had. The Public Service Association stated that the security breach highlighted the risk of cutting IT experts in public health. The National Cyber Security Centre is working with Health NZ and other government agencies to respond to the breach.
The Hacker’s Motivations and Actions
The hacker, ‘Kazu’, has been described as being motivated by profit and notoriety. Kazu claimed that most companies pay the ransom, even if the government does not allow it, and that Manage My Health’s security was lacking "basic security protocols". The hacker removed all references to the Manage My Health data breach from their online presence, and it is unclear what their next steps will be. The CEO of Manage My Health, Vino Ramayah, revealed that the hacker "got in through the front door" of the website by simply using a "valid user password".
The Impact on Patients and Healthcare Providers
The breach has had a significant impact on patients and healthcare providers. Many patients have reported receiving conflicting information from Manage My Health, and some have been told that their data has not been stolen when, in fact, it has. Healthcare providers have also expressed frustration with the company’s handling of the breach, with some stating that they only learned about the potential breach through the media. The Office of the Privacy Commissioner has issued guidance for affected patients on what to do if their data has been exposed.
The Need for Improved Cybersecurity
The breach highlights the need for improved cybersecurity measures to protect sensitive data. Manage My Health has been criticized for its lack of basic security protocols, and the company has urged users to enable two- or multi-factor authentication to improve security. The National Cyber Security Centre is working with Health NZ and other government agencies to respond to the breach, and an investigation into the breach is ongoing. The incident serves as a reminder of the importance of prioritizing cybersecurity and protecting sensitive data.