The fallout from the Manage My Health data breach is continuing, with the company warning that fraudsters may now be attempting to contact affected users by impersonating the online patient portal.
Manage My Health, which operates a widely used digital health platform in New Zealand, confirmed that most people impacted by the breach have now been notified. However, the organization cautioned that secondary criminal actors may be exploiting the situation by sending phishing or spam messages that appear to come from Manage My Health.
“We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It added that it is investigating measures to limit this activity and has issued guidance to help users protect themselves.
The MMH cyberattack, which occurred late last year, involved unauthorized access to documents stored within a limited feature of the platform. Cyber criminals reportedly demanded thousands of dollars in ransom, threatening to release sensitive data on the dark web. If released, the information could have exposed the medical details of more than 120,000 New Zealanders.
Information Accessed in the Manage My Health Data Breach
According to Manage My Health, the cyberattack did not affect live GP clinical systems, prescriptions, appointment scheduling, secure messaging, or real-time medical records. Instead, the breach was confined to documents stored in the “My Health Documents” section of the platform.
These documents included files uploaded by users themselves, such as correspondence, reports, and test results, as well as certain clinical documents. The latter consisted of hospital discharge summaries and clinical letters related to care received in Northland Te Tai Tokerau.
Upon detecting unusual system activity, Manage My Health said it immediately secured the affected feature, blocked further unauthorized access, and activated its incident response plan. Independent cybersecurity specialists were engaged to investigate the incident and confirm its scope.
The company stated that the breach has since been contained and that testing has confirmed the vulnerability is no longer present.
Notifications and Regulatory Response
Manage My Health acknowledged that its initial response led to some individuals being notified prematurely. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” the organization said, noting that this cautious approach resulted in some people being contacted even though they were later found not to be impacted.
Following forensic investigations, those individuals were subsequently informed that their data had not been affected. Users can confirm their status by logging into the Manage My Health web application, where a green “No Impact” banner indicates no involvement in the incident.
The company said notification efforts are ongoing due to the complexity of coordinating communications across patient groups, authorities, and data controllers, while ensuring compliance with the New Zealand Privacy Act.
The Manage My Health data breach has also triggered regulatory scrutiny. The Office of the Privacy Commissioner (OPC) has announced an inquiry into the privacy aspects of the incident. Manage My Health confirmed it is working closely with the OPC, as well as Health New Zealand | Te Whatu Ora, the National Cyber Security Centre, and the New Zealand Police.
Legal Action and Monitoring Efforts
As part of its response to the MMH cyberattack, Manage My Health sought and was granted an interim injunction from the High Court. The injunction prohibits any third party from accessing, publishing, or disseminating the impacted data.
The organization said it is actively monitoring known data leak websites and is prepared to issue takedown notices immediately if any information appears online.
Additional security measures taken include remediating compromised account credentials, temporarily disabling the Health Documents module, and implementing continuous monitoring while broader security upgrades are rolled out. An independent forensic investigation remains ongoing, with the company declining to comment on specific technical findings at this stage.
Guidance for Users
Manage My Health has reiterated that it will never ask users for passwords or one-time security codes. It has urged caution when receiving unexpected or urgent messages claiming to be from the company.
Anyone contacted by individuals claiming to possess their health data is advised not to engage and to report the incident to New Zealand Police via 105, or 111 in an emergency, and notify Manage My Health support.
To assist those concerned about identity misuse, the company has partnered with IDCARE, which provides free and confidential cyber and identity support across Australia and New Zealand.
“We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” Manage My Health said, adding that it remains committed to transparency as investigations into the cyberattack on Manage My Health continue.
