Seek My Health

Health Marketplace

Beating the Blues

Manage My Health has published an update regarding the cyber security incident identified on 30 December 2025. Read the full notice here.

Support
Sign in
Sign in

FAQs related to Cyber Breach

View FAQs
View News & Updates

FAQs – Account Security Status

1. How do I check my Account Security Status?
Log in to your Manage My Health account. Your Dashboard will clearly show your Account Security Status, stating whether your account was impacted or not impacted. You can click “Check now” to view more details.

If you don’t see the Account Security Status, it means your account is still under review. Reviews are being completed in phases, and this does not indicate that your account has been impacted.

2. Has my personal or health information been accessed, and how do I know if my account was impacted?
Based on our investigation, we believe that approximately 5-6% of users were affected by this incident. If your information was involved, Manage My Health will contact you directly with confirmation and next steps.

You can also check your status by logging in to Manage My Health. Your Dashboard will show whether your account was impacted or not impacted, and you can click “Check now” to view further details on the Account Security Status page.

If you don’t see the Account Security Status, it means your account is still under review. Reviews are being completed in phases, and seeing “under review” does not indicate that your account has been impacted.

3. Why did it take time to confirm which documents were affected?
Time was required to ensure accurate information was shown to the correct users. Manage My Health introduced the Account Security Status so users can see verified, document-level information specific to their account.

If you don’t see the Account Security Status, it means your account is still under review.

4. If I have not received an email, does that mean my account was not affected?
At this stage, users who have an active MMH identified as impacted have been contacted directly. If your account status changes, Manage My Health will contact you.

You can also verify your status by logging in and checking your Account Security Status on the Dashboard, or by clicking “Check now”. If you don’t see the Account Security Status, it means your account is still under review.

5. Why am I being directed to the Manage My Health web application?
Manage My Health is temporarily directing users to the web application to ensure consistent access to information and support. The web application displays your Account Security Status on the Dashboard and allows you to view details by clicking “Check now”.

6. What safeguards are in place to prevent unauthorised access to Manage My Health and provide assurance about the security of patient information?
Internationally recognised cybersecurity experts have tested the current application and environment and confirmed that it is safe and secure. We also recommend that users enable multi-factor authentication to protect their accounts. We take the security of the application very seriously and continue to invest in monitoring, testing, and improvement to reduce risk and prevent unauthorised access.

FAQs – Information Involved

7. What type of information was involved?
The incident relates to documents stored in the My Health Documents section. This includes:

  • Documents users uploaded themselves, such as correspondence, reports, or results
  • Clinical documents from Northland hospital including outpatient clinics. Examples of clinical documents are hospital discharge summaries, clinic letters and operation reports.

This did not include GP clinical systems, live medical records, prescriptions, secure messaging, or appointment systems.

8. Does this breach affect my GP, clinic, or hospital records?
No. GP clinical systems, hospital systems, prescriptions, secure messaging, and appointment systems were not affected.

9. Were any live medical records or GP notes accessed?
No. Live medical records, GP notes, prescriptions, secure messaging, and appointment systems were not accessed or affected.

10. What does “accessed” mean, and is that the same as “downloaded”?
“Accessed” means an unauthorised party may have viewed or opened files. “Downloaded” means files were copied out of the environment. Independent forensic analysis is being used to confirm what was accessed and what may have been downloaded.

An account is marked as “impacted” based on forensic identification, regardless of whether documents were viewed or downloaded.

FAQs – Cyber Breach Incident

11. What happened to Manage My Health in the cyber security incident?
Manage My Health identified a cyber security incident involving unauthorised access to a specific feature of the platform in New Zealand. The issue has been contained, the affected feature secured, and independent international cyber security specialists have been engaged to investigate and confirm the impact.

12. Is the Manage My Health platform safe to use?
Yes. The unauthorised access has been contained. The platform remains operational, and independent cyber security specialists have confirmed the current system environment is secure and operating as intended.

13. Is the cyber security incident still ongoing?
No. The unauthorised access has been contained, and the affected feature has been secured. Ongoing monitoring remains in place.

14. What is Manage My Health doing in response?
Manage My Health has secured the affected feature, engaged independent cyber security specialists, notified regulators, and implemented additional safeguards and monitoring. We are working with the Office of the Privacy Commissioner, New Zealand Police, and Health New Zealand.

15. Have you notified the Office of the Privacy Commissioner?
Yes. The Office of the Privacy Commissioner has been notified, and Manage My Health is working with Health New Zealand and other relevant agencies.

16. Who is overseeing the response to this incident?
The response is being managed by Manage My Health with support from independent cyber security specialists and in coordination with the Office of the Privacy Commissioner, Health New Zealand, and New Zealand Police.

FAQs – What You Should Do

17. Do I need to change my password or take any action?
As a precaution, change your password, especially if you reuse it across other services. Users can also enable multi-factor authentication (MFA) for additional security. 

18. How do I know an email or call is really from Manage My Health?
Manage My Health will never ask for your password or one-time security codes. Be cautious of unexpected or urgent messages. 

19. What should I do if someone contacts me claiming to have my health information?
Do not engage with them. Contact New Zealand Police on 105, or 111 in an emergency, and report the matter to the Manage My Health support.

20. Should I be concerned about identity theft or scams?
Manage My Health has partnered with IDCARE, Australia and New Zealand’s identity and cyber support service. IDCARE provides free, confidential support for identity misuse or compromise.

21. Do I need to contact my GP, practice, hospital, or specialist?
No. You do not need to contact your GP, practice, hospital, or specialist unless they advise you to do so separately.

22. Will this incident affect my future care or access to services?
No. Your access to healthcare services and your ability to receive care are not affected.

23. I have heard that calls to the 0800 affected patient support number are not being answered. Is that correct?
No. The 0800 affected patient support line is being actively staffed and calls are being answered. Call volumes vary by day. The average wait time for a call to be answered is less than eight minutes.

FAQs – Your Account & Privacy

24. How do I delete documents or close my Manage My Health account?
You can delete individual documents you uploaded by accessing the My Health Documents folder.

To delete your Manage My Health account, follow these steps:
1. Log in to your Manage My Health account.
2. Go to your Profile section.
3. Select “Close Account” from the menu options.

25. What happens to my health information after I close my account?
Once your account is closed, your previously stored health records will be deleted from the portal and become permanently inaccessible, and they cannot be recovered.

26. Can I reopen my account later?
No. Because your portal records become permanently inaccessible once an account is closed, you would need to register again if you wish to use the Manage My Health portal in the future.

27. Can I request access to my personal information under the Privacy Act 2020?
Yes. You can access your personal information directly by logging into Manage My Health and downloading a copy. Records uploaded by your medical centre or hospital can be requested from those organisations. Manage My Health does not access or send personal information on your behalf.

FAQs – Two-Step Verification

28. What is Two-Step Verification?
Two-Step Verification adds an extra layer of security to your account.
In addition to your username and password, you must enter a one-time verification code to confirm your identity when logging in.

This helps protect your personal and health information from unauthorised access.

29. Why is Two-Step Verification now mandatory?
Two-Step Verification is now required for all users to provide consistent protection for sensitive health information.
It helps:

  • Protect your personal and medical data
  • Prevent unauthorised access
  • Improve overall account security

30. Can I turn off Two-Step Verification?
No. Two-Step Verification is required for all users and cannot be disabled.

31. Can I log in without Two-Step Verification?
No. Two-Step Verification is mandatory for all users on both the web portal and mobile app and cannot be turned off.

  • Two-Step Verification in Web portal: Email verification or Authenticator App
  • Two-Step Verification in Mobile Apps: Biometrics (Face Id or Touch Id)

32. How does Two-Step Verification work on the web portal?

  1. Enter your username and password.
  2. A verification code is sent to your registered email address.
  3. You will see a “Verify Your Identity” screen.
  4. Enter the code from your email to complete login.

After your first successful login, you will be directed to your Two-Step Verification settings.

33. How does Two-Step Verification work on the mobile app?

  1. Enter your username and password.
  2. A verification code is sent to your registered email.
  3. You will see a “Check your email” screen.
  4. Enter the code to continue logging in.

After your first successful verification, you may enable biometric login (Face ID or fingerprint) for faster future sign-ins.

34. Do I need to complete Two-Step Verification every time I log in?

  • Web portal: Verification is required when you log in.
  • Mobile app: If biometrics are enabled, you may use biometric login, but periodic email verification will still be required.

35. Why is email verification the default method?
Email verification provides:

  • Immediate access without extra apps
  • A consistent security baseline
  • A reliable way to confirm your identity

36. How long is the verification code valid?
The one-time verification code expires after 30 minutes. If your code expires, return to the sign-in screen and request a new code. Always use the most recent email you receive.

37. Can I resend the verification code?
Yes. You can request a new verification code from the login screen, subject to resend limits and wait times.

38. What should I do if I don’t receive the verification email?

  • Check your spam or junk folder.
  • Ensure your email inbox is not full.
  • Wait a few minutes and try again.
  • Request a new code if available.

If you still don’t receive the email, contact support.

39. What happens if I enter the wrong verification code?

  • You will see an error message.
  • You can return to the verification screen and try again.
  • Multiple failed attempts may temporarily lock your account.

40. What happens if I get a verification code I didn’t request?
Do not share the code with anyone. This may indicate someone is attempting to access your account. Contact support if you are concerned.

41. How many incorrect verification or login attempts are allowed before my account is locked?
A maximum of 4 incorrect attempts is allowed. On the 5th unsuccessful attempt, your account will be temporarily locked.

42. If my account is locked due to multiple incorrect attempts, how long will the lock last?
Your account will be automatically unlocked after 2 minutes.

43. How many OTP resend attempts are allowed on the mobile app?
You can resend the OTP up to 2 times. On the 3rd resend attempt, your account will be locked for 3 minutes.

44. Can I use an authenticator app instead of email?
Yes, on the web portal only. After your first login, you can change your verification method in your Two-Step Verification settings. Authenticator apps are not supported on the mobile app.

45. What is Authenticator App Verification?
Authenticator App Verification is a more secure way to protect your account using Multi-Factor Authentication (MFA). After entering your username and password, you will be required to enter a 6-digit code generated by an authenticator app on your mobile device.

46. Why should I switch to an Authenticator App instead of SMS or Email verification?
Using an authenticator app is:

  • More secure (codes are generated on your device)
  • Works offline (no SMS or email required)
  • Faster and more reliable
  • Industry-standard protection used globally

47. Which authenticator apps are supported?
The system supports:

  • Google Authenticator
  • Microsoft Authenticator
    You can download them from the App Store (iOS) or Google Play Store (Android).

48. How do I set up Authenticator App Verification?
Follow these steps:

  1. Go to Two-Step Verification
  2. Click Switch to Authenticator App
  3. Select your preferred authenticator app
  4. Scan the QR code displayed on screen using the app
  5. Enter the 6-digit code generated by the app
  6. Save your recovery codes securely
  7. Click Complete Setup

Once completed, Authenticator App Verification will be enabled.

49. What if I cannot scan the QR code?
If you cannot scan the QR code:

  1. Click “Can’t scan the QR code?”
  2. Copy the secret key displayed on screen
  3. Enter the key manually in your authenticator app

50. What is the 6-digit verification code?
After scanning the QR code, your authenticator app will generate a 6-digit code. Enter this code on the setup screen to complete the verification. The code refreshes automatically every 30 seconds.

51. What are recovery codes?
Recovery codes are one-time use backup codes that allow you to log in if:

  • You lose your phone
  • Your device is damaged
  • You uninstall the authenticator app
  • You cannot access your authenticator app

52. When should I use a Recovery Code?
Use a Recovery Code only when you cannot complete the normal Two-Step Verification process.

53. How should I store my recovery codes?
You should:

  • Save them in a secure password manager, OR
  • Store them in a secure offline location (e.g., printed and kept safely)

Do not share your recovery codes with anyone.

54. Can I use the authenticator app on multiple devices?
For security reasons, it is recommended to set up the authenticator on one primary trusted device.
If you change devices, you should disable and reconfigure the authenticator setup.

55. Can I use Face ID or fingerprint on the mobile app?
Yes. After your first successful email verification, you can enable Face ID or fingerprint login for faster future access.

56. Will I still need email verification if I use biometrics?
Yes. Email verification may be required periodically as part of ongoing security checks.

57. Can I use Manage My Health on multiple devices?
Yes. However, Two-Step Verification will be required when signing in on new or different devices.

58. What happens if I change or lose my mobile device?
Simply install the app on your new device and log in using your username, password, and email verification code.

59. What if my email address is outdated or I cannot access it?
You will need to contact Manage My Health support or your healthcare provider to update your email address before you can log in.

60. Do I need internet access for Two-Step Verification?
Yes. Internet access is required to receive and enter verification codes.

61. What should I do if the verification code is not working?
Please check:

  • Your phone’s date and time are set automatically.
  • The correct account is selected in the authenticator app.
  • You are entering the current (not expired) code.

If the issue continues, try resynchronizing the app or contact support.

62. Can I switch back to SMS or Email verification later?
Yes. You can manage your Two-Step Verification settings anytime from your account security settings.

63. What if my account is locked?
Your account may be temporarily locked after multiple incorrect login or verification attempts.
Please wait until the lock period ends before trying again and ensure you are using the latest verification code sent to your email.

FAQs – Public Notice

64. Where can I read the public notice about the Manage My Health cyber security incident?

The full public notice about the Manage My Health cyber security incident is available on the Manage My Health website. You can read the notice, including updates, guidance, and support information, here: https://managemyhealth.co.nz/public-notice/

News & Updates related to Cyber Breach

MMH
Cyber Breach

MMH Privacy breach public notice 

Privacy breach public notice  On 30 December 2025, Manage My Health identified a cyber security incident involving  unauthorised  access to a specific feature of the platform in

Read More »
04 March 2026
MMH
Cyber Breach

MMH cyber breach update 13 January 2026

MMH cyber breach update, 13 January 2026  Further to our 12 January 2026 statement regarding the cybersecurity crime, Manage My Health (MMH) provides the following update.   Update on patients affected  MMH and forensic cybersecurity experts

Read More »
13 January 2026
MMH
Cyber Breach

MMH cyber breach update 8 January 2026

Further to our 7 January 2026 statement regarding the cybersecurity incident, Manage My Health (MMH) provides the following update.  Direct notification of affected patients remains the foremost priority for Manage My Health this week.  Patient notifications 

Read More »
08 January 2026
Load more articles
Scroll to Top
Sign in
Menu

Support