Further to our update issued on 2 January 2026 regarding the cyber security incident we were notified of on 30 December, Manage My Health is providing additional factual details and supporting information as independent forensic analysis continues to progress.
Independent forensic assurance
We have received independent confirmation from our forensic cyber security specialists that the current system environment is secure and operating as intended.
The investigation has identified that one module, Health Documents, within the app was compromised, not the whole app.
Manage My Health is commencing legal action to protect our clients data.
We now have the complete list of people whose documents may have been accessed and expect forensic confirmation of the documents effected in the coming days. We know that 6-7% of the approximately 1.8 million registered users have been affected by this incident. We expect to start notifying those affected following confirmation of forensics and liaison with PHOs and GPs to ensure that individuals are getting the right information, in line with Privacy Act requirements, and are properly supported.
The forensic team is continuing work to confirm our analysis of the specific documents involved. Completion of this step will enable us to proceed with more targeted communications to affected parties and we will start informing people directly from early next week.
Together with identifying everyone affected, Manage My Health has:
- Fixed the security gap: We’ve identified and closed the specific gaps that allowed unauthorised access. This fix has been independently tested and verified by external cybersecurity experts.
- Made log-ins more secure – We’ve added extra checks when people log in and limited how many times someone can try to access the system in a short time.
- Secured the files – All health documents have been re-secured and their storage has been strengthened.
For peace of mind, any Manage My Health user can reset their password or enable two-factor authentication (2FA) where available including biometric measures, to add an additional layer of protection to their accounts.
Here is the link to instructions to enable the two-factor authentication (you need to be logged in to access the link) here.
Supported Authenticator Apps:
- Google Authenticator
- Microsoft Authenticator
In addition, keep an eye out for anything unusual, such as medical bills or insurance claims you don’t recognise, or unexpected letters from healthcare providers. If you see anything that looks odd to you, contact the relevant provider immediately. You can also report anything suspicious to the New Zealand Police via police.govt.nz and report any suspected scam calls or emails to the National Cyber Security Centre at www.ncsc.govt.nz.
Coordinated communications with the sector
We are working closely with General Practice New Zealand (GPNZ) leadership and Health New Zealand to coordinate communications to practices and to support consistent, accurate messaging across the sector.
Dedicated support for practices and users
Manage My Health is urgently endeavoring to establish a dedicated helpline to support both practices and users by early next week. Support will be available via:
- An online helpdesk; and
- A dedicated 0800 support number (details to be published as soon as possible).
Manage My Health is working with independent cyber security specialists, the Privacy Commissioner, the New Zealand Police and Health New Zealand regarding the data breach.
Communications to affected practices, organisations, and patients are being prepared and will be issued once final verification steps are completed.
We appreciate the patience and cooperation of practices, patients, and partners. Our priority remains transparency, system security, and ensuring appropriate support is available while the investigation is finalised.
Manage My Health will provide a further update as soon as new information is available.
