Further to our 7 January 2026 statement regarding the cybersecurity incident, Manage My Health (MMH) provides the following update.
Direct notification of affected patients remains the foremost priority for Manage My Health this week.
Patient notifications
Direct notifications to the first 50% of patients affected commenced this morning.
Notifications are being sent via email to the address patients used to register their account, and this communication will be personally addressed to the name associated with the account. A reminder that patients should keep an eye out for anything unusual – MMH will never ask for log-in credentials – and that we are intentionally redirecting MMH mobile app users to the MMH web application so that notification information is consistent across platforms.
These email notifications will include an 0800 number that impacted individuals can call for support and assistance should they require.
Practice notifications
MMH has been communicating with general practices daily since first notifying practices on 31 December that a cyber incident had occurred. Resources are being shared this week with practices, both with affected patients and not, this week to support practices with communications to their patients.
Breach containment
We understand and sincerely apologise for the pain and anxiety this criminal activity has caused to our providers and patients.
The MMH app consists of multiple modules. One of these contains data provided directly by a GP and is referred to within the app as “Health Records”. The app also includes a separate module called “My Health Documents”, which stores documents, including those uploaded by users.
MMH would like to clarify that the breach was limited to data stored in the “My Health Documents” module only. User data stored in the GP-provided “Health Records” module was not compromised as part of this incident.
Here’s a summary of the facts, to date:
- The cyber incident was limited to 6-7% of our 1.8 million registered users, within the “My Health Documents” module only
- The data relates to a range of medical practices, including:
- Approximately 45 Northland-based GP practices;
- Clinical discharge summaries and historical clinical referral records in the Northland region (data that is between six and eight years old)
- Approximately 355 “referral-originating” GP practices across a number of New Zealand regions
- Personal health information uploaded by patients
Northland practices
Our investigation has shown that the data taken originates predominantly from the Northland region; documents that were shared with patients through the My Health Documents module and subject of the unauthorised access.
We recognise the disproportionate impact that this incident has had on some Northland communities. We are working closely with Health NZ/Te Whatu Ora as the data controller for Northland region documents to ensure those affected receive appropriate support and information.
System security
We can confirm that we received independent confirmation from our cyber security specialists that the current system environment is secure and operating as intended.
MMH is an ISO 9001 and ISO 27001 certified organisation. We have quality assurance processes with regular testing of our systems.
Patient data
Manage My Health does not automatically delete patient accounts or data when a practice stops using the platform. For example, many MMH users have signed up for accounts that are not linked to doctors and use the many features of the application that are not related to communications with their GP. In addition, many patients change doctors / practices while keeping their MMH account. Accounts remain active unless the patient chooses to close their account, whereupon the data is deleted.
Advisory Board
Honorary Clinical Advisor
Emeritus Professor Murray Tilyard ONZM has been appointed as an Honorary Clinical Advisor to the Manage My Health Board. Professor Tilyard brings more than three decades of leadership in New Zealand general practice, research and clinical governance. He is Emeritus Professor and former Chair/Head of General Practice at the Otago University (Dunedin) School of Medicine (1993–2022 Prof Tilyard continues to hold a practicing certificate and is a Distinguished fellow of the RNZCGP.
In this advisory role he will provide independent expert clinical advice to Manage My Health senior team and board, and strengthen Manage My Health’s clinical governance, decisions and patient communications following the recent cyber incident.
Professor Tilyard’s appointment is to provide patients, clinicians, and stakeholders additional confidence that decisions affecting individual patients, and in particular vulnerable patients, have senior clinical oversight and guidance.
High court order protecting patient data
MMH has sought further protection to prevent third parties from accessing any data based on injunction orders from the High Court. The order has been served to major media outlets. We have an international team monitoring known data leak websites and are prepared to issue takedown notices immediately if any information is posted.
As a precaution, patients are encouraged to change their passwords and use multi-factor authentication, especially if they reuse passwords across other services.
Police advice regarding the threat actor
A reminder that Police advice is that third parties should not engage directly with criminal hacker groups, including in this situation. Doing so is not in the best interest of those impacted by this incident and can have unanticipated consequences.
FAQs
For any further information, please refer to our frequently asked questions here: FAQs – Cyber Breach | Manage My Health
As always, if any patients or practices have any concerns or questions, please contact us directly via [email protected]
Our regular updates can be found here: www.managemyhealth.co.nz
