MMH cyber breach update 9 January 2026

MMH cyber breach update 9 January 2026

Further to our 8 January 2026 statement regarding the cybersecurity crime, Manage My Health (MMH) provides the following update.

Our priority focus remains on direct communications with affected patients and practices. MMH would like to reiterate its sincere apology to those impacted by this criminal cyber breach. We understand it is distressing and appreciate the frustration at the timing of communications. However, this is a complex exercise which unfortunately cannot be simplified due to the separate cohorts of patients affected which have to be dealt with in different ways.

As a result of which, there is unfortunately no scenario in which MMH could issue instant notifications to those impacted by the breach. Direct notifications have required coordination and clearance from relevant authorities and health sector stakeholders such as GP organisations.

Upon ascertainment of the breach, we immediately contacted Health NZ and various other Government agencies for their cooperation and management of this incident. We also duly notified the Privacy Commissioner of the breach. We knew it did not affect the core MMH application and was confined to a documents folder which was outside the main database.

We immediately appointed our cyber security forensic experts to analyse the cause of the breach and the investigations are ongoing. We also had an independent vulnerability application test conducted which confirmed the current system environment is secure, and therefore can offer an assurance that the breach was swiftly contained.

Legal

Injunction orders were secured in the interests of protecting client data and to minimise any abuse of data.

Further, MMH has taken all necessary steps to ensure that direct notification to affected practices and patients has complied with relevant legislation including the Privacy Act 2020 and the Health Information Privacy Code.

Patient notification

Direct notifications to patients affected are ongoing, as we are addressing several categories of people, and we expect to complete contacting all remaining patients that can be notified by early next week. More than half of all impacted patients have now received a notification email.

0800 number for affected individuals

An 0800 number has been established for impacted individuals to call for support and assistance should they require. This number will not be publicly available and only shared with impacted individuals via direct notification, as the team manning this number is dedicated to supporting impacted individuals only.

Technical support

We are aware of some reports of users experiencing technical difficulties, such as receiving emails, accessing the patient portal and viewing documents in their account. For these and all other enquiries, the MMH team continues to be available via all usual contact methods including via social media direct message or [email protected]

Media enquiries

MMH appreciates the significant national interest in this criminal cyber breach, given the platform’s role in storing medical information.

As this criminal cyber breach is subject to a police investigation, a full forensic review, and there are privacy concerns involved, there are valid constraints to what MMH can comment on publicly. MMH values its relationship with all media and aims to be accessible, open, and transparent in its communications.  

MMH is endeavouring to respond to all individual enquiries and will provide answers to specific questions where possible within these constraints. Regular statements from MMH are shared with media and placed on the website.

Media note: Please see FAQs below for additional information which may be useful based on recurring question themes.

Hacker and ransom demand

A cyber-attack is criminal activity, and this incident is subject to a police investigation. MMH is unable to provide any comment relating to the hacker, or any ransom demand.

Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation. Doing so is not in the best interest of those impacted by this incident and can have un-anticipated consequences.

Police also advise that anyone who has been notified that their data is included in the breach does not need to contact police as this has been covered by the Manage My Health report to police. However, police should be contacted if there is evidence of misuse of personal information.

Government guidance on cyber ransom payments: The New Zealand Government recommends not paying a ransom. Payment does not guarantee that you will get your data back, may breach sanctions, and creates harm to others by providing funding for criminal activities.

Security posture and encryption

MMH employs current security measures such as encryption of health data in its database and user passwords.

MMH is an ISO 9001 and ISO 27001 certified organisation. We have quality assurance processes with regular testing of our systems.

MMH comment on other hacking attempts

MMH continuously monitors and upgrades its security and data protection systems. This is a continuing process and criminals find sophisticated new ways of attacking any large system which contains personal data, as has been evidenced in both the health and non-healthcare sectors globally and New Zealand is no exception.

The Office of the Privacy Commissioner confirmed on 7 January that they received an email via their enquiries in-box from an anonymous source about Manage My Health in June 2025 alleging names, email addresses and passwords were exposed in the Manage My Health platform.

In this case we investigated and did not find any breach. However, out of an abundance of caution, we forced password resets on the users concerned. We also reinforced that two factor authentication is available to users of Manage My Health for them to use to enhance the security of their access to the portal. 

FAQs

• Number of affected patients
  • The number of patients impacted is approximately 125,000.

• Patient notification progress and accuracy
  • Patient notifications continue. More than half of all impacted patients have now received a notification email. All patients who are not impacted can see that in their MMH app. In a small number of cases, users were notified that they were impacted, but the app showed that they were not impacted – this was caused by the timing of the emails being sent, and the app being updated. This has been updated and all users see the correct details in the app after they have been notified.

• Document removal
  • MMH has not removed or changed any documents in MMH which were affected. No direct reports of this nature have been made to MMH, however if any user believes documents are missing from their account, they are encouraged to contact MMH directly.

• Blank/contradictory emails being sent to patients
  • Some email clients may not have displayed the email correctly, and we have corrected this are sending follow up emails where necessary.

• Northland impact
  • MMH provides a service for Northland patients to receive hospital discharge summaries through MMH. This solution was a benefit to Northlanders who did not have to wait in hospital to receive paper records and was of particular benefit to Northlanders who are not enrolled with a GP. This arrangement was not in place in other regions.

• Overseas patients blocked from accessing accounts
  • Out of an abundance of caution, we limited the countries that can access MMH to UK, USA, Aus and NZ during the incident and will gradually restore access internationally 

• Website traffic volume
  • The website has been standing up well, despite the large increase in traffic. We increased capacity as much as possible at short notice to accommodate expected volumes. While some users have experienced some slowness, the application has been operational, and most users are getting the information they need. We ask people to have patience please and to not access the website unless they need to until this notification process is complete.
    

• MMH database location
  • The MMH database has always been located in NZ, via NZ data centres.
    
    
• Instructions given to GPs about informing patients
  • MMH is responsible for notifying patients. MMH has shared information with GPs about their impacted patients, but GPs are not expected to notify patients. However, we have prepared an information pack to assist practices, both with affected patients and not, which is being shared this week to support practices with communications to their patients. 
     
• Prevention measures for future cyber incidents
  • MMH has taken a number of prevention measures. In the first event, we have secured our systems and contracted separate external organisations to run VAPT testing processes to validate our system testing. We are currently carrying out forensic investigations which are still ongoing.

For any further information, please refer to our frequently asked questions here: FAQs – Cyber Breach | Manage My Health  

Next update

MMH will issue its next update on Monday 12 January 2026 once the company has made further progress with direct communications with GP practices, patients and stakeholders.

Our regular updates can be found here: www.managemyhealth.co.nz

As always, if any patients or practices have any concerns or questions, please contact us directly via [email protected]