Manage My Health NZ

Manage My Health NZ At Manage My Health, we believe that your health - and the health of your family and friends - is what matters most.

Our goal is to help you take better care of yourself and stay ahead of your health needs.

12/01/2026

MMH cyber breach update 12 January 2026

Further to our 9 January 2026 statement regarding the cybersecurity crime, Manage My Health (MMH) provides the following update.

Patient notification

More than half of affected patients have now received a notification email.

This process is ongoing, with notifications rolling out to affected patients that can be notified. It will take some time to complete the remainder of the list given the complexities of coordinating communications to separate cohorts of patients with relevant authorities and Health New Zealand. This must be done securely in compliance with privacy laws. We will provide a timeframe for completion when we are able to.

Practice and healthcare provider notification

We continue to communicate with general practices to provide updates, support and guidance, and will be providing resources to all practices to assist direct communications with their patients.

MMH is also communicating with other relevant healthcare providers whose patients and clients utilise MMH, to ensure they have the appropriate information and resources at hand when answering any questions directly from their user base.

Northland

We continue to work closely with Health New Zealand to ensure those affected receive appropriate support and information.

Advisory board

Following the appointment of Emeritus Professor Murray Tilyard ONZM as an Honorary Clinical Advisor and Ross Tanner as Governance and Privacy Matters Advisor to MMHโ€™s advisory board, MMH advises it has also appointed Russell Craig.

From 2014 to 2023, Russell was Microsoft New Zealandโ€™s National Technology and Security Officer, advising public and private organisations on digital strategy and risk, including the health sector, and he also served on the Board of the Digital Health Association.

Russell's expertise in data governance, cybersecurity and the health technology sector makes him an invaluable addition to MMHโ€™s Advisory Board. His guidance will be instrumental as we continue to strengthen our security posture and security governance frameworks to better serve patients and healthcare providers across New Zealand.

Technical support

Our team continues to be available to answer any technical questions that patients and practices have and encourage those experiencing any difficulty in accessing the web application or locating information and documents, to persist via all usual contact methods including via social media direct message or info@managemyhealth.co.nz. Affected patients have been provided with an 0800 number for dedicated support.

MMH assures patients that our systems are secure and operating as normal.

For any further information, please refer to our frequently asked questions here: FAQs - Cyber Breach | Manage My Health

Our regular updates can be found on our website

As always, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

๐— ๐— ๐—› ๐—ฐ๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—ฏ๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐˜‚๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ, ๐Ÿต ๐—๐—ฎ๐—ป๐˜‚๐—ฎ๐—ฟ๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ Further to our 8 January 2026 statement regarding the cybersecurity crime, Manag...
09/01/2026

๐— ๐— ๐—› ๐—ฐ๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—ฏ๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐˜‚๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ, ๐Ÿต ๐—๐—ฎ๐—ป๐˜‚๐—ฎ๐—ฟ๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ

Further to our 8 January 2026 statement regarding the cybersecurity crime, Manage My Health (MMH) provides the following update.

Our priority focus remains on direct communications with affected patients and practices. MMH would like to reiterate its sincere apology to those impacted by this criminal cyber breach. We understand it is distressing and appreciate the frustration at the timing of communications. However, this is a complex exercise which unfortunately cannot be simplified due to the separate cohorts of patients affected which have to be dealt with in different ways.

As a result of which, there is unfortunately no scenario in which MMH could issue instant notifications to those impacted by the breach. Direct notifications have required coordination and clearance from relevant authorities and health sector stakeholders such as GP organisations.

Upon ascertainment of the breach, we immediately contacted Health NZ and various other Government agencies for their cooperation and management of this incident. We also duly notified the Privacy Commissioner of the breach. We knew it did not affect the core MMH application and was confined to a documents folder which was outside the main database.

We immediately appointed our cyber security forensic experts to analyse the cause of the breach and the investigations are ongoing. We also had an independent vulnerability application test conducted which confirmed the current system environment is secure, and therefore can offer an assurance that the breach was swiftly contained.

๐—Ÿ๐—ฒ๐—ด๐—ฎ๐—น
Injunction orders were secured in the interests of protecting client data and to minimise any abuse of data.

Further, MMH has taken all necessary steps to ensure that direct notification to affected practices and patients has complied with relevant legislation including the Privacy Act 2020 and the Health Information Privacy Code.

๐—ฃ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜ ๐—ป๐—ผ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป
Direct notifications to patients affected are ongoing, as we are addressing several categories of people, and we expect to complete contacting all remaining patients that can be notified by early next week. More than half of all impacted patients have now received a notification email.

๐Ÿฌ๐Ÿด๐Ÿฌ๐Ÿฌ ๐—ป๐˜‚๐—บ๐—ฏ๐—ฒ๐—ฟ ๐—ณ๐—ผ๐—ฟ ๐—ฎ๐—ณ๐—ณ๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—ถ๐—ป๐—ฑ๐—ถ๐˜ƒ๐—ถ๐—ฑ๐˜‚๐—ฎ๐—น๐˜€
An 0800 number has been established for impacted individuals to call for support and assistance should they require. This number will not be publicly available and only shared with impacted individuals via direct notification, as the team manning this number is dedicated to supporting impacted individuals only.

๐—ง๐—ฒ๐—ฐ๐—ต๐—ป๐—ถ๐—ฐ๐—ฎ๐—น ๐˜€๐˜‚๐—ฝ๐—ฝ๐—ผ๐—ฟ๐˜
We are aware of some reports of users experiencing technical difficulties, such as receiving emails, accessing the patient portal and viewing documents in their account. For these and all other enquiries, the MMH team continues to be available via all usual contact methods including via social media direct message or info@managemyhealth.co.nz

๐— ๐—ฒ๐—ฑ๐—ถ๐—ฎ ๐—ฒ๐—ป๐—พ๐˜‚๐—ถ๐—ฟ๐—ถ๐—ฒ๐˜€
MMH appreciates the significant national interest in this criminal cyber breach, given the platformโ€™s role in storing medical information.

As this criminal cyber breach is subject to a police investigation, a full forensic review, and there are privacy concerns involved, there are valid constraints to what MMH can comment on publicly. MMH values its relationship with all media and aims to be accessible, open, and transparent in its communications.

MMH is endeavouring to respond to all individual enquiries and will provide answers to specific questions where possible within these constraints. Regular statements from MMH are shared with media and placed on the website.

๐™ˆ๐™š๐™™๐™ž๐™– ๐™ฃ๐™ค๐™ฉ๐™š: ๐˜—๐˜ญ๐˜ฆ๐˜ข๐˜ด๐˜ฆ ๐˜ด๐˜ฆ๐˜ฆ ๐˜๐˜ˆ๐˜˜๐˜ด ๐˜ฃ๐˜ฆ๐˜ญ๐˜ฐ๐˜ธ ๐˜ง๐˜ฐ๐˜ณ ๐˜ข๐˜ฅ๐˜ฅ๐˜ช๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ข๐˜ญ ๐˜ช๐˜ฏ๐˜ง๐˜ฐ๐˜ณ๐˜ฎ๐˜ข๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ธ๐˜ฉ๐˜ช๐˜ค๐˜ฉ ๐˜ฎ๐˜ข๐˜บ ๐˜ฃ๐˜ฆ ๐˜ถ๐˜ด๐˜ฆ๐˜ง๐˜ถ๐˜ญ ๐˜ฃ๐˜ข๐˜ด๐˜ฆ๐˜ฅ ๐˜ฐ๐˜ฏ ๐˜ณ๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ณ๐˜ช๐˜ฏ๐˜จ ๐˜ฒ๐˜ถ๐˜ฆ๐˜ด๐˜ต๐˜ช๐˜ฐ๐˜ฏ ๐˜ต๐˜ฉ๐˜ฆ๐˜ฎ๐˜ฆ๐˜ด.

๐—›๐—ฎ๐—ฐ๐—ธ๐—ฒ๐—ฟ ๐—ฎ๐—ป๐—ฑ ๐—ฟ๐—ฎ๐—ป๐˜€๐—ผ๐—บ ๐—ฑ๐—ฒ๐—บ๐—ฎ๐—ป๐—ฑ
A cyber-attack is criminal activity, and this incident is subject to a police investigation. MMH is unable to provide any comment relating to the hacker, or any ransom demand.

Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation. Doing so is not in the best interest of those impacted by this incident and can have un-anticipated consequences.

Police also advise that anyone who has been notified that their data is included in the breach does not need to contact police as this has been covered by the Manage My Health report to police. However, police should be contacted if there is evidence of misuse of personal information.

Government guidance on cyber ransom payments: The New Zealand Government recommends not paying a ransom. Payment does not guarantee that you will get your data back, may breach sanctions, and creates harm to others by providing funding for criminal activities.

๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ฝ๐—ผ๐˜€๐˜๐˜‚๐—ฟ๐—ฒ ๐—ฎ๐—ป๐—ฑ ๐—ฒ๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ถ๐—ผ๐—ป
MMH employs current security measures such as encryption of health data in its database and user passwords.

MMH is an ISO 9001 and ISO 27001 certified organisation. We have quality assurance processes with regular testing of our systems.

๐— ๐— ๐—› ๐—ฐ๐—ผ๐—บ๐—บ๐—ฒ๐—ป๐˜ ๐—ผ๐—ป ๐—ผ๐˜๐—ต๐—ฒ๐—ฟ ๐—ต๐—ฎ๐—ฐ๐—ธ๐—ถ๐—ป๐—ด ๐—ฎ๐˜๐˜๐—ฒ๐—บ๐—ฝ๐˜๐˜€
MMH continuously monitors and upgrades its security and data protection systems. This is a continuing process and criminals find sophisticated new ways of attacking any large system which contains personal data, as has been evidenced in both the health and non-healthcare sectors globally and New Zealand is no exception.

The Office of the Privacy Commissioner confirmed on 7 January that they received an email via their enquiries in-box from an anonymous source about Manage My Health in June 2025 alleging names, email addresses and passwords were exposed in the Manage My Health platform.

In this case we investigated and did not find any breach. However, out of an abundance of caution, we forced password resets on the users concerned. We also reinforced that two factor authentication is available to users of Manage My Health for them to use to enhance the security of their access to the portal.

๐—™๐—”๐—ค๐˜€

โ€ข ๐—ก๐˜‚๐—บ๐—ฏ๐—ฒ๐—ฟ ๐—ผ๐—ณ ๐—ฎ๐—ณ๐—ณ๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—ฝ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜๐˜€
o The number of patients impacted is approximately 125,000.

โ€ข ๐—ฃ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜ ๐—ป๐—ผ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ฝ๐—ฟ๐—ผ๐—ด๐—ฟ๐—ฒ๐˜€๐˜€ ๐—ฎ๐—ป๐—ฑ ๐—ฎ๐—ฐ๐—ฐ๐˜‚๐—ฟ๐—ฎ๐—ฐ๐˜†
o Patient notifications continue. More than half of all impacted patients have now received a notification email. All patients who are not impacted can see that in their MMH app. In a small number of cases, users were notified that they were impacted, but the app showed that they were not impacted โ€“ this was caused by the timing of the emails being sent, and the app being updated. This has been updated and all users see the correct details in the app after they have been notified.

โ€ข ๐——๐—ผ๐—ฐ๐˜‚๐—บ๐—ฒ๐—ป๐˜ ๐—ฟ๐—ฒ๐—บ๐—ผ๐˜ƒ๐—ฎ๐—น
o MMH has not removed or changed any documents in MMH which were affected. No direct reports of this nature have been made to MMH, however if any user believes documents are missing from their account, they are encouraged to contact MMH directly.

โ€ข ๐—•๐—น๐—ฎ๐—ป๐—ธ/๐—ฐ๐—ผ๐—ป๐˜๐—ฟ๐—ฎ๐—ฑ๐—ถ๐—ฐ๐˜๐—ผ๐—ฟ๐˜† ๐—ฒ๐—บ๐—ฎ๐—ถ๐—น๐˜€ ๐—ฏ๐—ฒ๐—ถ๐—ป๐—ด ๐˜€๐—ฒ๐—ป๐˜ ๐˜๐—ผ ๐—ฝ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜๐˜€
o Some email clients may not have displayed the email correctly, and we have corrected this are sending follow up emails where necessary.

โ€ข ๐—ก๐—ผ๐—ฟ๐˜๐—ต๐—น๐—ฎ๐—ป๐—ฑ ๐—ถ๐—บ๐—ฝ๐—ฎ๐—ฐ๐˜
o MMH provides a service for Northland patients to receive hospital discharge summaries through MMH. This solution was a benefit to Northlanders who did not have to wait in hospital to receive paper records and was of particular benefit to Northlanders who are not enrolled with a GP. This arrangement was not in place in other regions.

โ€ข ๐—ข๐˜ƒ๐—ฒ๐—ฟ๐˜€๐—ฒ๐—ฎ๐˜€ ๐—ฝ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜๐˜€ ๐—ฏ๐—น๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฑ ๐—ณ๐—ฟ๐—ผ๐—บ ๐—ฎ๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€๐—ถ๐—ป๐—ด ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€
o Out of an abundance of caution, we limited the countries that can access MMH to UK, USA, Aus and NZ during the incident and will gradually restore access internationally.

โ€ข ๐—ช๐—ฒ๐—ฏ๐˜€๐—ถ๐˜๐—ฒ ๐˜๐—ฟ๐—ฎ๐—ณ๐—ณ๐—ถ๐—ฐ ๐˜ƒ๐—ผ๐—น๐˜‚๐—บ๐—ฒ
o The website has been standing up well, despite the large increase in traffic. We increased capacity as much as possible at short notice to accommodate expected volumes. While some users have experienced some slowness, the application has been operational, and most users are getting the information they need. We ask people to have patience please and to not access the website unless they need to until this notification process is complete.

โ€ข ๐— ๐— ๐—› ๐—ฑ๐—ฎ๐˜๐—ฎ๐—ฏ๐—ฎ๐˜€๐—ฒ ๐—น๐—ผ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป
o The MMH database has always been located in NZ, via NZ data centres.

โ€ข ๐—œ๐—ป๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐—ถ๐—ผ๐—ป๐˜€ ๐—ด๐—ถ๐˜ƒ๐—ฒ๐—ป ๐˜๐—ผ ๐—š๐—ฃ๐˜€ ๐—ฎ๐—ฏ๐—ผ๐˜‚๐˜ ๐—ถ๐—ป๐—ณ๐—ผ๐—ฟ๐—บ๐—ถ๐—ป๐—ด ๐—ฝ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜๐˜€
o MMH is responsible for notifying patients. MMH has shared information with GPs about their impacted patients, but GPs are not expected to notify patients. However, we have prepared an information pack to assist practices, both with affected patients and not, which is being shared this week to support practices with communications to their patients.

โ€ข ๐—ฃ๐—ฟ๐—ฒ๐˜ƒ๐—ฒ๐—ป๐˜๐—ถ๐—ผ๐—ป ๐—บ๐—ฒ๐—ฎ๐˜€๐˜‚๐—ฟ๐—ฒ๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ณ๐˜‚๐˜๐˜‚๐—ฟ๐—ฒ ๐—ฐ๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—ถ๐—ป๐—ฐ๐—ถ๐—ฑ๐—ฒ๐—ป๐˜๐˜€
o MMH has taken a number of prevention measures. In the first event, we have secured our systems and contracted separate external organisations to run VAPT testing processes to validate our system testing. We are currently carrying out forensic investigations which are still ongoing.

For any further information, please refer to our frequently asked questions here: https://managemyhealth.co.nz/faqs-cyber-breach/

๐—ก๐—ฒ๐˜…๐˜ ๐˜‚๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ
MMH will issue its next update on Monday 12 January 2026 once the company has made further progress with direct communications with GP practices, patients and stakeholders.

Our regular updates can be found here: www.managemyhealth.co.nz

As always, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

Find the answers to the most frequently asked questions related to the recent Cyber Breach.

๐— ๐— ๐—› ๐—ฐ๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—ฏ๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐˜‚๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ ๐Ÿด ๐—๐—ฎ๐—ป๐˜‚๐—ฎ๐—ฟ๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐ŸฒFurther to our 7 January 2026 statement regarding the cybersecurity incident, Mana...
08/01/2026

๐— ๐— ๐—› ๐—ฐ๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—ฏ๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐˜‚๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ ๐Ÿด ๐—๐—ฎ๐—ป๐˜‚๐—ฎ๐—ฟ๐˜† ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฒ

Further to our 7 January 2026 statement regarding the cybersecurity incident, Manage My Health (MMH) provides the following update.

Direct notification of affected patients remains the foremost priority for Manage My Health this week.

๐—ฃ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜ ๐—ป๐—ผ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€
Direct notifications to the first 50% of patients affected commenced this morning.

Notifications are being sent via email to the address patients used to register their account, and this communication will be personally addressed to the name associated with the account. A reminder that patients should keep an eye out for anything unusual โ€“ MMH will never ask for log-in credentials โ€“ and that we are intentionally redirecting MMH mobile app users to the MMH web application so that notification information is consistent across platforms.

These email notifications will include an 0800 number that impacted individuals can call for support and assistance should they require.

๐—ฃ๐—ฟ๐—ฎ๐—ฐ๐˜๐—ถ๐—ฐ๐—ฒ ๐—ป๐—ผ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€
MMH has been communicating with general practices daily since first notifying practices on 31 December that a cyber incident had occurred. Resources are being shared this week with practices, both with affected patients and not, this week to support practices with communications to their patients.

๐—•๐—ฟ๐—ฒ๐—ฎ๐—ฐ๐—ต ๐—ฐ๐—ผ๐—ป๐˜๐—ฎ๐—ถ๐—ป๐—บ๐—ฒ๐—ป๐˜
We understand and sincerely apologise for the pain and anxiety this criminal activity has caused to our providers and patients.

The MMH app consists of multiple modules. One of these contains data provided directly by a GP and is referred to within the app as โ€œHealth Recordsโ€. The app also includes a separate module called โ€œMy Health Documentsโ€, which stores documents, including those uploaded by users.

MMH would like to clarify that the breach was limited to data stored in the โ€œMy Health Documentsโ€ module only. User data stored in the GP-provided โ€œHealth Recordsโ€ module was not compromised as part of this incident.

Hereโ€™s a summary of the facts, to date:

โ€ข The cyber incident was limited to 6-7% of our 1.8 million registered users, within the โ€œMy Health Documentsโ€ module only
โ€ข The data relates to a range of medical practices, including:
โ€ข Approximately 45 Northland-based GP practices;
โ€ข Clinical discharge summaries and historical clinical referral records in the Northland region (data that is between six and eight years old)
โ€ข Approximately 355 โ€œreferral-originatingโ€ GP practices across a number of New Zealand regions
โ€ข Personal health information uploaded by patients

๐—ก๐—ผ๐—ฟ๐˜๐—ต๐—น๐—ฎ๐—ป๐—ฑ ๐—ฝ๐—ฟ๐—ฎ๐—ฐ๐˜๐—ถ๐—ฐ๐—ฒ๐˜€
Our investigation has shown that the data taken originates predominantly from the Northland region; documents that were shared with patients through the My Health Documents module and subject of the unauthorised access.

We recognise the disproportionate impact that this incident has had on some Northland communities. We are working closely with Health NZ/Te Whatu Ora as the data controller for Northland region documents to ensure those affected receive appropriate support and information.

๐—ฆ๐˜†๐˜€๐˜๐—ฒ๐—บ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜†
We can confirm ๏ปฟthat we received independent confirmation from our cyber security specialists that the current system environment is secure and operating as intended.

MMH is an ISO 9001 and ISO 27001 certified organisation. We have quality assurance processes with regular testing of our systems.

๐—ฃ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜ ๐—ฑ๐—ฎ๐˜๐—ฎ
Manage My Health does not automatically delete patient accounts or data when a practice stops using the platform. For example, many MMH users have signed up for accounts that are not linked to doctors and use the many features of the application that are not related to communications with their GP. In addition, many patients change doctors / practices while keeping their MMH account. Accounts remain active unless the patient chooses to close their account, whereupon the data is deleted.

๐—”๐—ฑ๐˜ƒ๐—ถ๐˜€๐—ผ๐—ฟ๐˜† ๐—•๐—ผ๐—ฎ๐—ฟ๐—ฑ
Honorary Clinical Advisor Emeritus Professor Murray Tilyard ONZM has been appointed as an Honorary Clinical Advisor to the Manage My Health Board. Professor Tilyard brings more than three decades of leadership in New Zealand general practice, research and clinical governance. He is Emeritus Professor and former Chair/Head of General Practice at the Otago University (Dunedin) School of Medicine (1993โ€“2022 Prof Tilyard continues to hold a practicing certificate and is a Distinguished fellow of the RNZCGP.

In this advisory role he will provide independent expert clinical advice to Manage My Health senior team and board, and strengthen Manage My Healthโ€™s clinical governance, decisions and patient communications following the recent cyber incident.

Professor Tilyardโ€™s appointment is to provide patients, clinicians, and stakeholders additional confidence that decisions affecting individual patients, and in particular vulnerable patients, have senior clinical oversight and guidance.

๐—›๐—ถ๐—ด๐—ต ๐—ฐ๐—ผ๐˜‚๐—ฟ๐˜ ๐—ผ๐—ฟ๐—ฑ๐—ฒ๐—ฟ ๐—ฝ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ป๐—ด ๐—ฝ๐—ฎ๐˜๐—ถ๐—ฒ๐—ป๐˜ ๐—ฑ๐—ฎ๐˜๐—ฎ
MMH has sought further protection to prevent third parties from accessing any data based on injunction orders from the High Court. The order has been served to major media outlets. We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.

As a precaution, patients are encouraged to change their passwords and use multi-factor authentication, especially if they reuse passwords across other services.

๐—ฃ๐—ผ๐—น๐—ถ๐—ฐ๐—ฒ ๐—ฎ๐—ฑ๐˜ƒ๐—ถ๐—ฐ๐—ฒ ๐—ฟ๐—ฒ๐—ด๐—ฎ๐—ฟ๐—ฑ๐—ถ๐—ป๐—ด ๐˜๐—ต๐—ฒ ๐˜๐—ต๐—ฟ๐—ฒ๐—ฎ๐˜ ๐—ฎ๐—ฐ๐˜๐—ผ๐—ฟ
A reminder that Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation. Doing so is not in the best interest of those impacted by this incident and can have unanticipated consequences.

๐—™๐—”๐—ค๐˜€
For any further information, please refer to our frequently asked questions here: https://managemyhealth.co.nz/faqs-cyber-breach/

As always, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

Our regular updates can be found here: www.managemyhealth.co.nz

Find the answers to the most frequently asked questions related to the recent Cyber Breach.

MMH cyber breach update 6 January 2026 Further to our 5 January 2026 update regarding the cyber security incident, Manag...
06/01/2026

MMH cyber breach update 6 January 2026

Further to our 5 January 2026 update regarding the cyber security incident, Manage My Health provides the following update.

Direct communication with providers
As communicated in our last update, we have identified all patients whose documents may have been accessed in this incident. We have now notified the first group of affected general practices and unaffected practices in a communication that was distributed on the afternoon of 5 January.

Impact on the practices
We have advised the affected practices that the independent forensic investigation has confirmed that some patients associated with their practice have been affected, and are providing resources to help them respond to any patient inquiries.

Based on our findings, the incident was limited to 6-7% of our 1.8 million registered users of the โ€˜My Health Documentsโ€™ module on the Manage My Health app.

Information in the Manage My Health core module, in respect of appointments, prescription in the Health Record function have not been accessed and the portal has been independently confirmed as secure.

We have advised practices that the list of patients enrolled who have been impacted is available to the practice in the secure MMH Provider Portal. The MMH Provider Portal will state the name of the patient and the records accessed in the incident. We have recommended that practices review the list and advise us of any concerns about any vulnerable patients receiving notifications, so that we can provide appropriate support.

Features on the Manage My Health app which allow practices to see if they are affected have now also gone live to assist practices. We are working on a process to inform practices who have left Manage My Health.

Affected individuals
We are currently working through the Privacy Act notification process for each affected individual, in conjunction with Health NZ and the Office of the Privacy Commissioner.

The Privacy Act requires individuals to be notified when their information has been accessed in an unauthorised way. MMH is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified. Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed.

MMH will establish and promote an 0800 helpline number where impacted patients can get advice and support. Practices will also be notified of this helpline as soon as it is available so they can direct patients to it.

Features on the Manage My Health app will go live soon to allow affected individuals to determine whether any of their documents have been impacted in this cyber event.

Protecting Abuse of Data
Manage My Health has obtained injunction orders on an interim basis from the High Court preventing third parties from accessing any stolen data.

The orders:
1. Restrain third parties from accessing or in any way dealing with the stolen data.
2. Require that anyone with access to the stolen data or any information obtained from it immediately delete it.
3. Require that anyone immediately delete and take down any and all publications of or links to copies of the affected dataset or information obtained from it.

Formal sealed versions of the orders have been sought.

We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.

We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of this activity against our systems.

Contact
In the interim, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

FAQs
For any further information, please refer to our frequently asked questions here: FAQs - Cyber Breach | Manage My Health

Our regular updates can be found here:

Trusted by over 1.85 million Kiwis and used by most health centres, Manage My Health is a secure health portal that empowers people to take charge of their

MMH cyber breach update 5 January 2026 Further to our 3 January 2026 update regarding the cyber security incident we wer...
05/01/2026

MMH cyber breach update 5 January 2026

Further to our 3 January 2026 update regarding the cyber security incident we were notified of on 30 December 2025, Manage My Health provides the following update.

We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of criminal activity against our systems. We continue to work closely alongside Health NZ, the NZ Police and other agencies to respond to this crime.

We acknowledge we could have done a better job at communication, however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients. This has been our paramount consideration.

As we have said from the beginning, we strive to be transparent in our communications, and will be publishing daily updates with all the information we can share with you. There are constraints, both legal and practical to the fast dissemination of this information.

We want to assure the public that since the 30th of December, and throughout the holiday period, our team has been working tirelessly to first and foremost ensure our systems are secure and prevent further intrusions. Secondly, we have been working as part of a cross-sector group to implement processes to begin communication with affected practices and patients.

We acknowledge that this delay has been a cause for concern. We will make every effort to continue to work hard to provide you with accurate and reliable information as urgently as practicable, in consultation with various stakeholders.

Manage My Health welcomes the commissioning of a Ministry of Health review and will cooperate fully with this process. We hope the findings and recommendations of the review are not just helpful to us, but to the whole sector.

Legal action
To protect patient data and confidentiality, Manage My Health has today been granted injunction orders from the High Court preventing third parties from accessing any data posted as a result of the incident.

We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.

A cyber-attack is criminal activity, and any unlawful use of private client information will be subject to legal action and takedown orders. Any ransom demand is a matter for NZ Police and Manage My Health will not be making any comment in this regard, as it is an ongoing investigation.

Direct communications beginning this week
We are commencing today, our communications to practices and will be continuing this process throughout the course of this week, until this notification process is complete. Alongside this, we will be providing regular updates via our website, as and when information becomes available and it is appropriate for us to share it.

For context, under the Privacy Act 2020 and the Health Information Privacy Code, the obligation to notify affected individuals sits with the agency that holds the information. Where health documents originate from multiple sources, there may be multiple data controllers with independent notification obligations. This requires coordination to ensure we meet our legal obligations.

Affected Patients
We have identified all patients whose documents may have been accessed in this incident.

Direct patient notification will commence this week. The exact timing requires coordination with Health New Zealand, GPNZ, and GP practices to ensure patients receive clear, consistent information and do not receive multiple or confusing notifications from different organisations about the same incident.

General Practices
We have commenced notifying practices from today. Each practice will receive access to a confidential list of their affected patients through our secure Provider Portal, along with guidance on supporting patients who contact them with questions.

This will enable general practices to prepare for patient enquiries before patients receive direct notification from us. GPs are often the first point of contact for concerned patients, and we want to ensure they have the information they need.

Patient support
We will start the patient communication process after practices have been notified. A dedicated 0800 helpline will be established for affected patients as soon as possible. Further details, including the phone number and operating hours, will be provided in our next update.

Independent forensic investigation
An independent forensic investigation by specialist cybersecurity consultants continues. As this is an ongoing investigation, we cannot currently comment on specific technical findings.

We share the pain suffered by Kiwis by this cyber-crime, and are committed to ensuring your data is safe and will work to restore the trust you have in us.

Contact
In the interim, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

FAQs
For any further information, please refer to our frequently asked questions here: FAQs - Cyber Breach | Manage My Health

Our regular updates can be found here:

Trusted by over 1.85 million Kiwis and used by most health centres, Manage My Health is a secure health portal that empowers people to take charge of their

03/01/2026

MMH cyber breach update 3 January 2026

Further to our update issued on 2 January 2026 regarding the cyber security incident we were notified of on 30 December, Manage My Health is providing additional factual details and supporting information as independent forensic analysis continues to progress.

Independent forensic assurance

We have received independent confirmation from our forensic cyber security specialists that the current system environment is secure and operating as intended.

The investigation has identified that one module, Health Documents, within the app was compromised, not the whole app.
Manage My Health is commencing legal action to protect our clients data.

We now have the complete list of people whose documents may have been accessed and expect forensic confirmation of the documents effected in the coming days.

We know that 6-7% of the approximately 1.8 million registered users have been affected by this incident. We expect to start notifying those affected following confirmation of forensics and liaison with PHOs and GPs to ensure that individuals are getting the right information, in line with Privacy Act requirements, and are properly supported.

The forensic team is continuing work to confirm our analysis of the specific documents involved. Completion of this step will enable us to proceed with more targeted communications to affected parties, and we will start informing people directly from early next week.

Together with identifying everyone affected, Manage My Health has:

* Fixed the security gap: We've identified and closed the specific gaps that allowed unauthorised access. This fix has been independently tested and verified by external cybersecurity experts.
* Made log-ins more secure - We've added extra checks when people log in and limited how many times someone can try to access the system in a short time.
* Secured the files - All health documents have been re-secured and their storage has been strengthened.

For peace of mind, any Manage My Health user can reset their password or enable two-factor authentication (2FA) where available, including biometric measures, to add an additional layer of protection to their accounts.

Here is the link to instructions to enable the two-factor authentication (you need to be logged in to access the link): https://app.managemyhealth.co.nz/myaccount/two-step-verification

Supported Authenticator Apps:

โ€ข Google Authenticator
โ€ข Microsoft Authenticator

In addition, keep an eye out for anything unusual, such as medical bills or insurance claims you donโ€™t recognise, or unexpected letters from healthcare providers. If you see anything that looks odd to you, contact the relevant provider immediately.

You can also report anything suspicious to the New Zealand Police via police.govt.nz and report any suspected scam calls or emails to CERT NZ via cert.govt.nz.

Coordinated communications with the sector

We are working closely with General Practice New Zealand (GPNZ) leadership and Health New Zealand to coordinate communications to practices and to support consistent, accurate messaging across the sector.

Dedicated support for practices and users
Manage My Health is urgently endeavoring to establish a dedicated helpline to support both practices and users by early next week. Support will be available via:

* An online helpdesk; and
* A dedicated 0800 support number (details to be published as soon as possible).

Manage My Health is working with independent cyber security specialists, the Privacy Commissioner, the New Zealand Police and Health New Zealand regarding the data breach.

Communications to affected practices, organisations, and patients are being prepared and will be issued once final verification steps are completed.

We appreciate the patience and cooperation of practices, patients, and partners. Our priority remains transparency, system security, and ensuring appropriate support is available while the investigation is finalised.

Manage My Health will provide a further update as soon as new information is available.

ManageMyHealthโ„ข is a secure health portal that provides 24/7 access to your health records, video consultations, hospital letters, referrals, appointment bookings, repeat prescriptions, and direct messaging with your doctor

Address

Level 1, 48 Market Place, Viaduct Harbour
Auckland
1010

Opening Hours

Monday 9am - 5pm
Tuesday 9am - 5pm
Wednesday 9am - 5pm
Thursday 9am - 5pm
Friday 9am - 5pm

Alerts

Be the first to know and let us send you an email when Manage My Health NZ posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Share

Share on Facebook Share on Twitter Share on LinkedIn
Share on Pinterest Share on Reddit Share via Email
Share on WhatsApp Share on Instagram Share on Telegram