Further to our 5 January 2026 update regarding the cyber security incident, Manage My Health provides the following update.
Direct communication with providers
As communicated in our last update, we have identified all patients whose documents may have been accessed in this incident. We have now notified the first group of affected general practices and unaffected practices in a communication that was distributed on the afternoon of 5 January.
Impact on the practices
We have advised the affected practices that the independent forensic investigation has confirmed that some patients associated with their practice have been affected, and are providing resources to help them respond to any patient inquiries.
Based on our findings, the incident was limited to 6-7% of our 1.8 million registered users of the ‘My Health Documents’ module on the Manage My Health app.
Information in the Manage My Health core module, in respect of appointments, prescription in the Health Record function have not been accessed and the portal has been independently confirmed as secure.
We have advised practices that the list of patients enrolled who have been impacted is available to the practice in the secure MMH Provider Portal. The MMH Provider Portal will state the name of the patient and the records accessed in the incident. We have recommended that practices review the list and advise us of any concerns about any vulnerable patients receiving notifications, so that we can provide appropriate support.
Features on the Manage My Health app which allow practices to see if they are affected have now also gone live to assist practices. We are working on a process to inform practices who have left Manage My Health.
Affected individuals
We are currently working through the Privacy Act notification process for each affected individual, in conjunction with Health NZ and the Office of the Privacy Commissioner.
The Privacy Act requires individuals to be notified when their information has been accessed in an unauthorised way. MMH is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified. Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed.
MMH will establish and promote an 0800 helpline number where impacted patients can get advice and support. Practices will also be notified of this helpline as soon as it is available so they can direct patients to it.
Features on the Manage My Health app will go live soon to allow affected individuals to determine whether any of their documents have been impacted in this cyber event.
Protecting Abuse of Data
Manage My Health has obtained injunction orders on an interim basis from the High Court preventing third parties from accessing any stolen data.
The orders:
- Restrain third parties from accessing or in any way dealing with the stolen data.
- Require that anyone with access to the stolen data or any information obtained from it immediately delete it.
- Require that anyone immediately delete and take down any and all publications of or links to copies of the affected dataset or information obtained from it.
Formal sealed versions of the orders have been sought.
We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.
We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of this activity against our systems.
Contact
In the interim, if any patients or practices have any concerns or questions, please contact us directly via [email protected]
FAQs
For any further information, please refer to our frequently asked questions here: FAQs – Cyber Breach | Manage My Health
Our regular updates can be found here: www.managemyhealth.co.nz
