Security experts called the breach “incredibly concerning” for patients. Some commentators noted weaknesses in implementation practices — including suggestions that older encryption protocols or other legacy configurations can increase risk — and said the scale of the incident is significant for New Zealand’s health sector. Independent experts urged rapid transparency about what exact records were accessed so individuals can take specific steps to protect themselves.
Immediate advice to patients (what you should do now)
- Watch for official notice from Manage My Health — the company has said it will notify affected customers within 48 hours. That notice should state what data were involved and recommended next steps.
- Change passwords used on the portal immediately, and on any other online service that used the same password. Use a strong, unique password or a password manager.
- Enable multi-factor authentication (MFA) wherever possible — if your portal account supports MFA, turn it on.
- Be alert for phishing: attackers often use leaked personal or clinical details to craft convincing phishing messages or fraudulent calls pretending to be health or government officials. Do not click unknown links or provide personal details over the phone unless you’ve verified the contact.
- Monitor financial accounts and identity: if contact or identity information was exposed, consider watching bank accounts, credit reports, or using an identity monitoring service.
- Talk to your GP if you are worried clinical records were exposed — your clinician can advise on any clinical or privacy steps relevant to your care.
Likely impacts and worst-case scenarios
- Privacy harms: sensitive medical information revealed could have personal and social consequences for patients (e.g., stigma, workplace or family issues).
- Financial scams: personal contact details enable targeted scams or identity theft.
- Operational disruption: although Health NZ says its own systems are not compromised, the incident could increase workload for practices and helplines as patients seek reassurance and help.
What Manage My Health and authorities say they are doing
- Containment of the breach and steps to secure the application.
- Engagement of independent international forensic consultants to verify remediation and determine the exact extent and timing of unauthorized access.
- Preparing direct notifications to impacted users and coordination with government agencies (Health NZ, Privacy Commissioner, Police, National Cyber Security Centre).
Timeline (so far)
- Dec 31, 2025 — Manage My Health was reportedly alerted to suspicious activity (company statements indicate they were notified “yesterday” from the Jan 1 announcements).
- Jan 1, 2026 — Public confirmation of a cyber-security incident; media reports estimate more than 100,000 users may be affected; CEO and Health NZ make public statements; forensic teams engaged; notifications to users promised within 48 hours.
Questions the public still needs answered
- Exactly which data fields (clinical notes, diagnoses, prescriptions, contact details, identifiers) were accessed and for which users.
- Whether any data have been published, sold, or used maliciously (ransom or extortion claims have circulated on forums and social media but have not been confirmed publicly by Manage My Health or police).
- Whether attackers retain any persistent access or copies of the data (forensic teams will investigate backups and logs).
The answers to these will determine longer-term remedial actions and whether statutory notifications to regulators are triggered.
How this fits into a wider pattern
Healthcare systems worldwide are frequently targeted because medical records are highly sensitive and valuable on black-market forums. New Zealand has seen several high-profile cyber incidents in recent years, prompting calls for stronger, sector-wide security standards, mandatory breach reporting rules, and improved incident response readiness. Experts say rapid, clear communication and support for affected patients are critical to limit harm.
