Manage My Health NZ

12/01/2026

MMH cyber breach update 12 January 2026

Further to our 9 January 2026 statement regarding the cybersecurity crime, Manage My Health (MMH) provides the following update.

Patient notification

More than half of affected patients have now received a notification email.

This process is ongoing, with notifications rolling out to affected patients that can be notified. It will take some time to complete the remainder of the list given the complexities of coordinating communications to separate cohorts of patients with relevant authorities and Health New Zealand. This must be done securely in compliance with privacy laws. We will provide a timeframe for completion when we are able to.

Practice and healthcare provider notification

We continue to communicate with general practices to provide updates, support and guidance, and will be providing resources to all practices to assist direct communications with their patients.

MMH is also communicating with other relevant healthcare providers whose patients and clients utilise MMH, to ensure they have the appropriate information and resources at hand when answering any questions directly from their user base.

Northland

We continue to work closely with Health New Zealand to ensure those affected receive appropriate support and information.

Advisory board

Following the appointment of Emeritus Professor Murray Tilyard ONZM as an Honorary Clinical Advisor and Ross Tanner as Governance and Privacy Matters Advisor to MMH’s advisory board, MMH advises it has also appointed Russell Craig.

From 2014 to 2023, Russell was Microsoft New Zealand’s National Technology and Security Officer, advising public and private organisations on digital strategy and risk, including the health sector, and he also served on the Board of the Digital Health Association.

Russell's expertise in data governance, cybersecurity and the health technology sector makes him an invaluable addition to MMH’s Advisory Board. His guidance will be instrumental as we continue to strengthen our security posture and security governance frameworks to better serve patients and healthcare providers across New Zealand.

Technical support

Our team continues to be available to answer any technical questions that patients and practices have and encourage those experiencing any difficulty in accessing the web application or locating information and documents, to persist via all usual contact methods including via social media direct message or info@managemyhealth.co.nz. Affected patients have been provided with an 0800 number for dedicated support.

MMH assures patients that our systems are secure and operating as normal.

For any further information, please refer to our frequently asked questions here: FAQs - Cyber Breach | Manage My Health

Our regular updates can be found on our website

As always, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

09/01/2026

𝗠𝗠𝗛 𝗰𝘆𝗯𝗲𝗿 𝗯𝗿𝗲𝗮𝗰𝗵 𝘂𝗽𝗱𝗮𝘁𝗲, 𝟵 𝗝𝗮𝗻𝘂𝗮𝗿𝘆 𝟮𝟬𝟮𝟲

Further to our 8 January 2026 statement regarding the cybersecurity crime, Manage My Health (MMH) provides the following update.

Our priority focus remains on direct communications with affected patients and practices. MMH would like to reiterate its sincere apology to those impacted by this criminal cyber breach. We understand it is distressing and appreciate the frustration at the timing of communications. However, this is a complex exercise which unfortunately cannot be simplified due to the separate cohorts of patients affected which have to be dealt with in different ways.

As a result of which, there is unfortunately no scenario in which MMH could issue instant notifications to those impacted by the breach. Direct notifications have required coordination and clearance from relevant authorities and health sector stakeholders such as GP organisations.

Upon ascertainment of the breach, we immediately contacted Health NZ and various other Government agencies for their cooperation and management of this incident. We also duly notified the Privacy Commissioner of the breach. We knew it did not affect the core MMH application and was confined to a documents folder which was outside the main database.

We immediately appointed our cyber security forensic experts to analyse the cause of the breach and the investigations are ongoing. We also had an independent vulnerability application test conducted which confirmed the current system environment is secure, and therefore can offer an assurance that the breach was swiftly contained.

𝗟𝗲𝗴𝗮𝗹
Injunction orders were secured in the interests of protecting client data and to minimise any abuse of data.

Further, MMH has taken all necessary steps to ensure that direct notification to affected practices and patients has complied with relevant legislation including the Privacy Act 2020 and the Health Information Privacy Code.

𝗣𝗮𝘁𝗶𝗲𝗻𝘁 𝗻𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻
Direct notifications to patients affected are ongoing, as we are addressing several categories of people, and we expect to complete contacting all remaining patients that can be notified by early next week. More than half of all impacted patients have now received a notification email.

𝟬𝟴𝟬𝟬 𝗻𝘂𝗺𝗯𝗲𝗿 𝗳𝗼𝗿 𝗮𝗳𝗳𝗲𝗰𝘁𝗲𝗱 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹𝘀
An 0800 number has been established for impacted individuals to call for support and assistance should they require. This number will not be publicly available and only shared with impacted individuals via direct notification, as the team manning this number is dedicated to supporting impacted individuals only.

𝗧𝗲𝗰𝗵𝗻𝗶𝗰𝗮𝗹 𝘀𝘂𝗽𝗽𝗼𝗿𝘁
We are aware of some reports of users experiencing technical difficulties, such as receiving emails, accessing the patient portal and viewing documents in their account. For these and all other enquiries, the MMH team continues to be available via all usual contact methods including via social media direct message or info@managemyhealth.co.nz

𝗠𝗲𝗱𝗶𝗮 𝗲𝗻𝗾𝘂𝗶𝗿𝗶𝗲𝘀
MMH appreciates the significant national interest in this criminal cyber breach, given the platform’s role in storing medical information.

As this criminal cyber breach is subject to a police investigation, a full forensic review, and there are privacy concerns involved, there are valid constraints to what MMH can comment on publicly. MMH values its relationship with all media and aims to be accessible, open, and transparent in its communications.

MMH is endeavouring to respond to all individual enquiries and will provide answers to specific questions where possible within these constraints. Regular statements from MMH are shared with media and placed on the website.

𝙈𝙚𝙙𝙞𝙖 𝙣𝙤𝙩𝙚: 𝘗𝘭𝘦𝘢𝘴𝘦 𝘴𝘦𝘦 𝘍𝘈𝘘𝘴 𝘣𝘦𝘭𝘰𝘸 𝘧𝘰𝘳 𝘢𝘥𝘥𝘪𝘵𝘪𝘰𝘯𝘢𝘭 𝘪𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯 𝘸𝘩𝘪𝘤𝘩 𝘮𝘢𝘺 𝘣𝘦 𝘶𝘴𝘦𝘧𝘶𝘭 𝘣𝘢𝘴𝘦𝘥 𝘰𝘯 𝘳𝘦𝘤𝘶𝘳𝘳𝘪𝘯𝘨 𝘲𝘶𝘦𝘴𝘵𝘪𝘰𝘯 𝘵𝘩𝘦𝘮𝘦𝘴.

𝗛𝗮𝗰𝗸𝗲𝗿 𝗮𝗻𝗱 𝗿𝗮𝗻𝘀𝗼𝗺 𝗱𝗲𝗺𝗮𝗻𝗱
A cyber-attack is criminal activity, and this incident is subject to a police investigation. MMH is unable to provide any comment relating to the hacker, or any ransom demand.

Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation. Doing so is not in the best interest of those impacted by this incident and can have un-anticipated consequences.

Police also advise that anyone who has been notified that their data is included in the breach does not need to contact police as this has been covered by the Manage My Health report to police. However, police should be contacted if there is evidence of misuse of personal information.

Government guidance on cyber ransom payments: The New Zealand Government recommends not paying a ransom. Payment does not guarantee that you will get your data back, may breach sanctions, and creates harm to others by providing funding for criminal activities.

𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗼𝘀𝘁𝘂𝗿𝗲 𝗮𝗻𝗱 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻
MMH employs current security measures such as encryption of health data in its database and user passwords.

MMH is an ISO 9001 and ISO 27001 certified organisation. We have quality assurance processes with regular testing of our systems.

𝗠𝗠𝗛 𝗰𝗼𝗺𝗺𝗲𝗻𝘁 𝗼𝗻 𝗼𝘁𝗵𝗲𝗿 𝗵𝗮𝗰𝗸𝗶𝗻𝗴 𝗮𝘁𝘁𝗲𝗺𝗽𝘁𝘀
MMH continuously monitors and upgrades its security and data protection systems. This is a continuing process and criminals find sophisticated new ways of attacking any large system which contains personal data, as has been evidenced in both the health and non-healthcare sectors globally and New Zealand is no exception.

The Office of the Privacy Commissioner confirmed on 7 January that they received an email via their enquiries in-box from an anonymous source about Manage My Health in June 2025 alleging names, email addresses and passwords were exposed in the Manage My Health platform.

In this case we investigated and did not find any breach. However, out of an abundance of caution, we forced password resets on the users concerned. We also reinforced that two factor authentication is available to users of Manage My Health for them to use to enhance the security of their access to the portal.

𝗙𝗔𝗤𝘀

• 𝗡𝘂𝗺𝗯𝗲𝗿 𝗼𝗳 𝗮𝗳𝗳𝗲𝗰𝘁𝗲𝗱 𝗽𝗮𝘁𝗶𝗲𝗻𝘁𝘀
o The number of patients impacted is approximately 125,000.

• 𝗣𝗮𝘁𝗶𝗲𝗻𝘁 𝗻𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗽𝗿𝗼𝗴𝗿𝗲𝘀𝘀 𝗮𝗻𝗱 𝗮𝗰𝗰𝘂𝗿𝗮𝗰𝘆
o Patient notifications continue. More than half of all impacted patients have now received a notification email. All patients who are not impacted can see that in their MMH app. In a small number of cases, users were notified that they were impacted, but the app showed that they were not impacted – this was caused by the timing of the emails being sent, and the app being updated. This has been updated and all users see the correct details in the app after they have been notified.

• 𝗗𝗼𝗰𝘂𝗺𝗲𝗻𝘁 𝗿𝗲𝗺𝗼𝘃𝗮𝗹
o MMH has not removed or changed any documents in MMH which were affected. No direct reports of this nature have been made to MMH, however if any user believes documents are missing from their account, they are encouraged to contact MMH directly.

• 𝗕𝗹𝗮𝗻𝗸/𝗰𝗼𝗻𝘁𝗿𝗮𝗱𝗶𝗰𝘁𝗼𝗿𝘆 𝗲𝗺𝗮𝗶𝗹𝘀 𝗯𝗲𝗶𝗻𝗴 𝘀𝗲𝗻𝘁 𝘁𝗼 𝗽𝗮𝘁𝗶𝗲𝗻𝘁𝘀
o Some email clients may not have displayed the email correctly, and we have corrected this are sending follow up emails where necessary.

• 𝗡𝗼𝗿𝘁𝗵𝗹𝗮𝗻𝗱 𝗶𝗺𝗽𝗮𝗰𝘁
o MMH provides a service for Northland patients to receive hospital discharge summaries through MMH. This solution was a benefit to Northlanders who did not have to wait in hospital to receive paper records and was of particular benefit to Northlanders who are not enrolled with a GP. This arrangement was not in place in other regions.

• 𝗢𝘃𝗲𝗿𝘀𝗲𝗮𝘀 𝗽𝗮𝘁𝗶𝗲𝗻𝘁𝘀 𝗯𝗹𝗼𝗰𝗸𝗲𝗱 𝗳𝗿𝗼𝗺 𝗮𝗰𝗰𝗲𝘀𝘀𝗶𝗻𝗴 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀
o Out of an abundance of caution, we limited the countries that can access MMH to UK, USA, Aus and NZ during the incident and will gradually restore access internationally.

• 𝗪𝗲𝗯𝘀𝗶𝘁𝗲 𝘁𝗿𝗮𝗳𝗳𝗶𝗰 𝘃𝗼𝗹𝘂𝗺𝗲
o The website has been standing up well, despite the large increase in traffic. We increased capacity as much as possible at short notice to accommodate expected volumes. While some users have experienced some slowness, the application has been operational, and most users are getting the information they need. We ask people to have patience please and to not access the website unless they need to until this notification process is complete.

• 𝗠𝗠𝗛 𝗱𝗮𝘁𝗮𝗯𝗮𝘀𝗲 𝗹𝗼𝗰𝗮𝘁𝗶𝗼𝗻
o The MMH database has always been located in NZ, via NZ data centres.

• 𝗜𝗻𝘀𝘁𝗿𝘂𝗰𝘁𝗶𝗼𝗻𝘀 𝗴𝗶𝘃𝗲𝗻 𝘁𝗼 𝗚𝗣𝘀 𝗮𝗯𝗼𝘂𝘁 𝗶𝗻𝗳𝗼𝗿𝗺𝗶𝗻𝗴 𝗽𝗮𝘁𝗶𝗲𝗻𝘁𝘀
o MMH is responsible for notifying patients. MMH has shared information with GPs about their impacted patients, but GPs are not expected to notify patients. However, we have prepared an information pack to assist practices, both with affected patients and not, which is being shared this week to support practices with communications to their patients.

• 𝗣𝗿𝗲𝘃𝗲𝗻𝘁𝗶𝗼𝗻 𝗺𝗲𝗮𝘀𝘂𝗿𝗲𝘀 𝗳𝗼𝗿 𝗳𝘂𝘁𝘂𝗿𝗲 𝗰𝘆𝗯𝗲𝗿 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁𝘀
o MMH has taken a number of prevention measures. In the first event, we have secured our systems and contracted separate external organisations to run VAPT testing processes to validate our system testing. We are currently carrying out forensic investigations which are still ongoing.

For any further information, please refer to our frequently asked questions here: https://managemyhealth.co.nz/faqs-cyber-breach/

𝗡𝗲𝘅𝘁 𝘂𝗽𝗱𝗮𝘁𝗲
MMH will issue its next update on Monday 12 January 2026 once the company has made further progress with direct communications with GP practices, patients and stakeholders.

Our regular updates can be found here: www.managemyhealth.co.nz

As always, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

Find the answers to the most frequently asked questions related to the recent Cyber Breach.

08/01/2026

𝗠𝗠𝗛 𝗰𝘆𝗯𝗲𝗿 𝗯𝗿𝗲𝗮𝗰𝗵 𝘂𝗽𝗱𝗮𝘁𝗲 𝟴 𝗝𝗮𝗻𝘂𝗮𝗿𝘆 𝟮𝟬𝟮𝟲

Further to our 7 January 2026 statement regarding the cybersecurity incident, Manage My Health (MMH) provides the following update.

Direct notification of affected patients remains the foremost priority for Manage My Health this week.

𝗣𝗮𝘁𝗶𝗲𝗻𝘁 𝗻𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀
Direct notifications to the first 50% of patients affected commenced this morning.

Notifications are being sent via email to the address patients used to register their account, and this communication will be personally addressed to the name associated with the account. A reminder that patients should keep an eye out for anything unusual – MMH will never ask for log-in credentials – and that we are intentionally redirecting MMH mobile app users to the MMH web application so that notification information is consistent across platforms.

These email notifications will include an 0800 number that impacted individuals can call for support and assistance should they require.

𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗲 𝗻𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀
MMH has been communicating with general practices daily since first notifying practices on 31 December that a cyber incident had occurred. Resources are being shared this week with practices, both with affected patients and not, this week to support practices with communications to their patients.

𝗕𝗿𝗲𝗮𝗰𝗵 𝗰𝗼𝗻𝘁𝗮𝗶𝗻𝗺𝗲𝗻𝘁
We understand and sincerely apologise for the pain and anxiety this criminal activity has caused to our providers and patients.

The MMH app consists of multiple modules. One of these contains data provided directly by a GP and is referred to within the app as “Health Records”. The app also includes a separate module called “My Health Documents”, which stores documents, including those uploaded by users.

MMH would like to clarify that the breach was limited to data stored in the “My Health Documents” module only. User data stored in the GP-provided “Health Records” module was not compromised as part of this incident.

Here’s a summary of the facts, to date:

• The cyber incident was limited to 6-7% of our 1.8 million registered users, within the “My Health Documents” module only
• The data relates to a range of medical practices, including:
• Approximately 45 Northland-based GP practices;
• Clinical discharge summaries and historical clinical referral records in the Northland region (data that is between six and eight years old)
• Approximately 355 “referral-originating” GP practices across a number of New Zealand regions
• Personal health information uploaded by patients

𝗡𝗼𝗿𝘁𝗵𝗹𝗮𝗻𝗱 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀
Our investigation has shown that the data taken originates predominantly from the Northland region; documents that were shared with patients through the My Health Documents module and subject of the unauthorised access.

We recognise the disproportionate impact that this incident has had on some Northland communities. We are working closely with Health NZ/Te Whatu Ora as the data controller for Northland region documents to ensure those affected receive appropriate support and information.

𝗦𝘆𝘀𝘁𝗲𝗺 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆
We can confirm that we received independent confirmation from our cyber security specialists that the current system environment is secure and operating as intended.

MMH is an ISO 9001 and ISO 27001 certified organisation. We have quality assurance processes with regular testing of our systems.

𝗣𝗮𝘁𝗶𝗲𝗻𝘁 𝗱𝗮𝘁𝗮
Manage My Health does not automatically delete patient accounts or data when a practice stops using the platform. For example, many MMH users have signed up for accounts that are not linked to doctors and use the many features of the application that are not related to communications with their GP. In addition, many patients change doctors / practices while keeping their MMH account. Accounts remain active unless the patient chooses to close their account, whereupon the data is deleted.

𝗔𝗱𝘃𝗶𝘀𝗼𝗿𝘆 𝗕𝗼𝗮𝗿𝗱
Honorary Clinical Advisor Emeritus Professor Murray Tilyard ONZM has been appointed as an Honorary Clinical Advisor to the Manage My Health Board. Professor Tilyard brings more than three decades of leadership in New Zealand general practice, research and clinical governance. He is Emeritus Professor and former Chair/Head of General Practice at the Otago University (Dunedin) School of Medicine (1993–2022 Prof Tilyard continues to hold a practicing certificate and is a Distinguished fellow of the RNZCGP.

In this advisory role he will provide independent expert clinical advice to Manage My Health senior team and board, and strengthen Manage My Health’s clinical governance, decisions and patient communications following the recent cyber incident.

Professor Tilyard’s appointment is to provide patients, clinicians, and stakeholders additional confidence that decisions affecting individual patients, and in particular vulnerable patients, have senior clinical oversight and guidance.

𝗛𝗶𝗴𝗵 𝗰𝗼𝘂𝗿𝘁 𝗼𝗿𝗱𝗲𝗿 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗻𝗴 𝗽𝗮𝘁𝗶𝗲𝗻𝘁 𝗱𝗮𝘁𝗮
MMH has sought further protection to prevent third parties from accessing any data based on injunction orders from the High Court. The order has been served to major media outlets. We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.

As a precaution, patients are encouraged to change their passwords and use multi-factor authentication, especially if they reuse passwords across other services.

𝗣𝗼𝗹𝗶𝗰𝗲 𝗮𝗱𝘃𝗶𝗰𝗲 𝗿𝗲𝗴𝗮𝗿𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝘁𝗵𝗿𝗲𝗮𝘁 𝗮𝗰𝘁𝗼𝗿
A reminder that Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation. Doing so is not in the best interest of those impacted by this incident and can have unanticipated consequences.

𝗙𝗔𝗤𝘀
For any further information, please refer to our frequently asked questions here: https://managemyhealth.co.nz/faqs-cyber-breach/

As always, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

Our regular updates can be found here: www.managemyhealth.co.nz

Find the answers to the most frequently asked questions related to the recent Cyber Breach.

06/01/2026

MMH cyber breach update 6 January 2026

Further to our 5 January 2026 update regarding the cyber security incident, Manage My Health provides the following update.

Direct communication with providers
As communicated in our last update, we have identified all patients whose documents may have been accessed in this incident. We have now notified the first group of affected general practices and unaffected practices in a communication that was distributed on the afternoon of 5 January.

Impact on the practices
We have advised the affected practices that the independent forensic investigation has confirmed that some patients associated with their practice have been affected, and are providing resources to help them respond to any patient inquiries.

Based on our findings, the incident was limited to 6-7% of our 1.8 million registered users of the ‘My Health Documents’ module on the Manage My Health app.

Information in the Manage My Health core module, in respect of appointments, prescription in the Health Record function have not been accessed and the portal has been independently confirmed as secure.

We have advised practices that the list of patients enrolled who have been impacted is available to the practice in the secure MMH Provider Portal. The MMH Provider Portal will state the name of the patient and the records accessed in the incident. We have recommended that practices review the list and advise us of any concerns about any vulnerable patients receiving notifications, so that we can provide appropriate support.

Features on the Manage My Health app which allow practices to see if they are affected have now also gone live to assist practices. We are working on a process to inform practices who have left Manage My Health.

Affected individuals
We are currently working through the Privacy Act notification process for each affected individual, in conjunction with Health NZ and the Office of the Privacy Commissioner.

The Privacy Act requires individuals to be notified when their information has been accessed in an unauthorised way. MMH is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified. Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed.

MMH will establish and promote an 0800 helpline number where impacted patients can get advice and support. Practices will also be notified of this helpline as soon as it is available so they can direct patients to it.

Features on the Manage My Health app will go live soon to allow affected individuals to determine whether any of their documents have been impacted in this cyber event.

Protecting Abuse of Data
Manage My Health has obtained injunction orders on an interim basis from the High Court preventing third parties from accessing any stolen data.

The orders:
1. Restrain third parties from accessing or in any way dealing with the stolen data.
2. Require that anyone with access to the stolen data or any information obtained from it immediately delete it.
3. Require that anyone immediately delete and take down any and all publications of or links to copies of the affected dataset or information obtained from it.

Formal sealed versions of the orders have been sought.

We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.

We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of this activity against our systems.

Contact
In the interim, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

FAQs
For any further information, please refer to our frequently asked questions here: FAQs - Cyber Breach | Manage My Health

Our regular updates can be found here:

Trusted by over 1.85 million Kiwis and used by most health centres, Manage My Health is a secure health portal that empowers people to take charge of their

05/01/2026

MMH cyber breach update 5 January 2026

Further to our 3 January 2026 update regarding the cyber security incident we were notified of on 30 December 2025, Manage My Health provides the following update.

We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of criminal activity against our systems. We continue to work closely alongside Health NZ, the NZ Police and other agencies to respond to this crime.

We acknowledge we could have done a better job at communication, however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients. This has been our paramount consideration.

As we have said from the beginning, we strive to be transparent in our communications, and will be publishing daily updates with all the information we can share with you. There are constraints, both legal and practical to the fast dissemination of this information.

We want to assure the public that since the 30th of December, and throughout the holiday period, our team has been working tirelessly to first and foremost ensure our systems are secure and prevent further intrusions. Secondly, we have been working as part of a cross-sector group to implement processes to begin communication with affected practices and patients.

We acknowledge that this delay has been a cause for concern. We will make every effort to continue to work hard to provide you with accurate and reliable information as urgently as practicable, in consultation with various stakeholders.

Manage My Health welcomes the commissioning of a Ministry of Health review and will cooperate fully with this process. We hope the findings and recommendations of the review are not just helpful to us, but to the whole sector.

Legal action
To protect patient data and confidentiality, Manage My Health has today been granted injunction orders from the High Court preventing third parties from accessing any data posted as a result of the incident.

We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.

A cyber-attack is criminal activity, and any unlawful use of private client information will be subject to legal action and takedown orders. Any ransom demand is a matter for NZ Police and Manage My Health will not be making any comment in this regard, as it is an ongoing investigation.

Direct communications beginning this week
We are commencing today, our communications to practices and will be continuing this process throughout the course of this week, until this notification process is complete. Alongside this, we will be providing regular updates via our website, as and when information becomes available and it is appropriate for us to share it.

For context, under the Privacy Act 2020 and the Health Information Privacy Code, the obligation to notify affected individuals sits with the agency that holds the information. Where health documents originate from multiple sources, there may be multiple data controllers with independent notification obligations. This requires coordination to ensure we meet our legal obligations.

Affected Patients
We have identified all patients whose documents may have been accessed in this incident.

Direct patient notification will commence this week. The exact timing requires coordination with Health New Zealand, GPNZ, and GP practices to ensure patients receive clear, consistent information and do not receive multiple or confusing notifications from different organisations about the same incident.

General Practices
We have commenced notifying practices from today. Each practice will receive access to a confidential list of their affected patients through our secure Provider Portal, along with guidance on supporting patients who contact them with questions.

This will enable general practices to prepare for patient enquiries before patients receive direct notification from us. GPs are often the first point of contact for concerned patients, and we want to ensure they have the information they need.

Patient support
We will start the patient communication process after practices have been notified. A dedicated 0800 helpline will be established for affected patients as soon as possible. Further details, including the phone number and operating hours, will be provided in our next update.

Independent forensic investigation
An independent forensic investigation by specialist cybersecurity consultants continues. As this is an ongoing investigation, we cannot currently comment on specific technical findings.

We share the pain suffered by Kiwis by this cyber-crime, and are committed to ensuring your data is safe and will work to restore the trust you have in us.

Contact
In the interim, if any patients or practices have any concerns or questions, please contact us directly via info@managemyhealth.co.nz

FAQs
For any further information, please refer to our frequently asked questions here: FAQs - Cyber Breach | Manage My Health

Our regular updates can be found here:

Trusted by over 1.85 million Kiwis and used by most health centres, Manage My Health is a secure health portal that empowers people to take charge of their

03/01/2026

MMH cyber breach update 3 January 2026

Further to our update issued on 2 January 2026 regarding the cyber security incident we were notified of on 30 December, Manage My Health is providing additional factual details and supporting information as independent forensic analysis continues to progress.

Independent forensic assurance

We have received independent confirmation from our forensic cyber security specialists that the current system environment is secure and operating as intended.

The investigation has identified that one module, Health Documents, within the app was compromised, not the whole app.
Manage My Health is commencing legal action to protect our clients data.

We now have the complete list of people whose documents may have been accessed and expect forensic confirmation of the documents effected in the coming days.

We know that 6-7% of the approximately 1.8 million registered users have been affected by this incident. We expect to start notifying those affected following confirmation of forensics and liaison with PHOs and GPs to ensure that individuals are getting the right information, in line with Privacy Act requirements, and are properly supported.

The forensic team is continuing work to confirm our analysis of the specific documents involved. Completion of this step will enable us to proceed with more targeted communications to affected parties, and we will start informing people directly from early next week.

Together with identifying everyone affected, Manage My Health has:

* Fixed the security gap: We've identified and closed the specific gaps that allowed unauthorised access. This fix has been independently tested and verified by external cybersecurity experts.
* Made log-ins more secure - We've added extra checks when people log in and limited how many times someone can try to access the system in a short time.
* Secured the files - All health documents have been re-secured and their storage has been strengthened.

For peace of mind, any Manage My Health user can reset their password or enable two-factor authentication (2FA) where available, including biometric measures, to add an additional layer of protection to their accounts.

Here is the link to instructions to enable the two-factor authentication (you need to be logged in to access the link): https://app.managemyhealth.co.nz/myaccount/two-step-verification

Supported Authenticator Apps:

• Google Authenticator
• Microsoft Authenticator

In addition, keep an eye out for anything unusual, such as medical bills or insurance claims you don’t recognise, or unexpected letters from healthcare providers. If you see anything that looks odd to you, contact the relevant provider immediately.

You can also report anything suspicious to the New Zealand Police via police.govt.nz and report any suspected scam calls or emails to CERT NZ via cert.govt.nz.

Coordinated communications with the sector

We are working closely with General Practice New Zealand (GPNZ) leadership and Health New Zealand to coordinate communications to practices and to support consistent, accurate messaging across the sector.

Dedicated support for practices and users
Manage My Health is urgently endeavoring to establish a dedicated helpline to support both practices and users by early next week. Support will be available via:

* An online helpdesk; and
* A dedicated 0800 support number (details to be published as soon as possible).

Manage My Health is working with independent cyber security specialists, the Privacy Commissioner, the New Zealand Police and Health New Zealand regarding the data breach.

Communications to affected practices, organisations, and patients are being prepared and will be issued once final verification steps are completed.

We appreciate the patience and cooperation of practices, patients, and partners. Our priority remains transparency, system security, and ensuring appropriate support is available while the investigation is finalised.

Manage My Health will provide a further update as soon as new information is available.

ManageMyHealth™ is a secure health portal that provides 24/7 access to your health records, video consultations, hospital letters, referrals, appointment bookings, repeat prescriptions, and direct messaging with your doctor