Further to our 3 January 2026 update regarding the cyber security incident we were notified of on 30 December 2025, Manage My Health provides the following update.
We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of criminal activity against our systems. We continue to work closely alongside Health NZ, the NZ Police and other agencies to respond to this crime.
We acknowledge we could have done a better job at communication, however, our priority was to secure patient data and work on the accuracy of all information before providing it to practices and patients. This has been our paramount consideration.
As we have said from the beginning, we strive to be transparent in our communications, and will be publishing daily updates with all the information we can share with you. There are constraints, both legal and practical to the fast dissemination of this information.
We want to assure the public that since the 30th of December, and throughout the holiday period, our team has been working tirelessly to first and foremost ensure our systems are secure and prevent further intrusions. Secondly, we have been working as part of a cross-sector group to implement processes to begin communication with affected practices and patients.
We acknowledge that this delay has been a cause for concern. We will make every effort to continue to work hard to provide you with accurate and reliable information as urgently as practicable, in consultation with various stakeholders.
Manage My Health welcomes the commissioning of a Ministry of Health review and will cooperate fully with this process. We hope the findings and recommendations of the review are not just helpful to us, but to the whole sector.
Legal action
To protect patient data and confidentiality, Manage My Health has today been granted injunction orders from the High Court preventing third parties from accessing any data posted as a result of the incident.
We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.
A cyber-attack is criminal activity, and any unlawful use of private client information will be subject to legal action and takedown orders. Any ransom demand is a matter for NZ Police and Manage My Health will not be making any comment in this regard, as it is an ongoing investigation.
Direct communications beginning this week
We are commencing today, our communications to practices and will be continuing this process throughout the course of this week, until this notification process is complete. Alongside this, we will be providing regular updates via our website, as and when information becomes available and it is appropriate for us to share it.
For context, under the Privacy Act 2020 and the Health Information Privacy Code, the obligation to notify affected individuals sits with the agency that holds the information. Where health documents originate from multiple sources, there may be multiple data controllers with independent notification obligations. This requires coordination to ensure we meet our legal obligations.
Affected Patients
We have identified all patients whose documents may have been accessed in this incident.
Direct patient notification will commence this week. The exact timing requires coordination with Health New Zealand, GPNZ, and GP practices to ensure patients receive clear, consistent information and do not receive multiple or confusing notifications from different organisations about the same incident.
General Practices
We have commenced notifying practices from today. Each practice will receive access to a confidential list of their affected patients through our secure Provider Portal, along with guidance on supporting patients who contact them with questions.
This will enable general practices to prepare for patient enquiries before patients receive direct notification from us. GPs are often the first point of contact for concerned patients, and we want to ensure they have the information they need.
Patient support
We will start the patient communication process after practices have been notified. A dedicated 0800 helpline will be established for affected patients as soon as possible. Further details, including the phone number and operating hours, will be provided in our next update.
Independent forensic investigation
An independent forensic investigation by specialist cybersecurity consultants continues. As this is an ongoing investigation, we cannot currently comment on specific technical findings.
We share the pain suffered by Kiwis by this cyber-crime, and are committed to ensuring your data is safe and will work to restore the trust you have in us.
Contact
In the interim, if any patients or practices have any concerns or questions, please contact us directly via [email protected]
FAQs
For any further information, please refer to our frequently asked questions here: FAQs – Cyber Breach | Manage My Health
Our regular updates can be found here: www.managemyhealth.co.nz
