Further to our update issued on 1 January 2026, Manage My Health is providing additional factual clarification as investigations continue.
We recognise the public interest in this matter and the importance of providing clear, accurate information while forensic work remains ongoing.
Timeline and notifications
Manage My Health became aware of the cyber security incident on 30 December 2025, following notification from a partner.
On becoming aware of the issue, our immediate priorities were to secure the platform, prevent any further unauthorised access, and preserve system evidence for forensic investigation. Independent cyber security and forensic specialists were engaged at that point.
The Office of the Privacy Commissioner was notified and we have remained in active contact with the Commissioner’s Office since that time.
Health New Zealand, New Zealand Police and other relevant organisations were also notified, and we are working closely with them to meet regulatory, sector, and legal obligations.
A public holding statement was published on the Manage My Health website on 1 January 2026, followed by further updates as additional verified information became available. We are still ascertaining the various parties affected in what is a complex investigation. We are endeavouring to provide information as it becomes available.
Scope of the incident
Independent forensic analysis is ongoing to validate the full scope of access and any data exfiltration.
Based on investigations to date, we believe that approximately seven per cent of our approximately 1.8 million registered patients may have been affected.
Our preliminary findings indicate that the unauthorised access was to a specific group of documents in the system.
Preliminary investigation reveals no evidence at this stage that the core patient database was accessed, nor any evidence of data modification or destruction within our system, nor any access to user credentials.
Attribution
Attribution remains a matter for law enforcement and forensic investigation, and we are cautious about drawing conclusions while that work continues.
What you can do
Manage My Health recommends that it is best practice to regularly update your password.
To ensure your online security, we strongly advise you read the guidelines provided by the Own Your Online at https://www.ownyouronline.govt.nz/personal/get-protected/
Manage My Health users can enable Mutli-Factor Authentication (MFA) using a supported authenticator app, providing an additional layer of account security.
Supported Authenticator Apps:
- Google Authenticator
- Microsoft Authenticator
Here is the link to instructions to enable the two-factor authentication (you need to be logged in to access the link) – https://app.managemyhealth.co.nz/myaccount/two-step-verification
Next steps
For more information, visit our FAQs page regarding the cyber breach here https://managemyhealth.co.nz/faqs-cyber-breach/
Our priority remains confirming with certainty which individuals and organisations are affected and contacting them directly with clear information and guidance.
We understand the anxiety incidents of this nature can cause, particularly where health information is involved. We appreciate the patience shown by patients, healthcare providers, and partners while this complex investigation continues and we will provide further updates as confirmed information becomes available.
Our next update is scheduled for Saturday 3 January at 3pm.
Sincerely
Vino Ramayah
CEO Manage My Health
