Major Healthcare Data Breach Threatens New Zealand Patients
On December 30, 2025, the Kazu ransomware group publicly claimed responsibility for a significant cyberattack against ManageMyHealth (MMH), one of New Zealand’s most widely-used patient portal platforms. The breach potentially affects thousands of Kiwi patients who use the service to access their medical records, test results, and communicate with healthcare providers.
What Happened?
ManageMyHealth operates a secure online patient portal that connects New Zealanders with their general practitioners and healthcare providers. The platform allows patients to view test results, request prescription renewals, book appointments, and manage their health information digitally.
According to the threat actors, they have exfiltrated approximately 108 gigabytes of data comprising 428,337 files. The stolen information allegedly includes highly sensitive patient data such as full names, comprehensive medical records, laboratory test results, prescription histories, appointment schedules, complete health history logs, and personal communications between patients and their healthcare providers.
The Ransom Demand
The Kazu group has set a ransom demand of $60,000 USD with an expiration deadline of January 15, 2026. If the ransom is not paid by this date, the group has threatened to publicly release the stolen patient information on their leak site, potentially exposing thousands of New Zealanders to privacy violations and identity theft risks.
Who is the Kazu Ransomware Group?
Kazu is a relatively new ransomware operation that emerged in September 2025 but has quickly established itself as a significant threat to the healthcare sector. Since its appearance, the group has claimed responsibility for more than 30 breaches across various sectors, with a particular focus on healthcare organizations and medical service providers.
The group operates using a double-extortion model, where they not only encrypt victim systems but also steal sensitive data before encryption. This gives them additional leverage to demand payment, as victims must consider both the cost of system recovery and the potential reputational and legal consequences of having patient data publicly released.
What Data May Be At Risk?
The allegedly compromised information represents some of the most sensitive personal data New Zealanders possess. Medical records contain not just health information but often include identifying details such as addresses, phone numbers, dates of birth, and in some cases, financial information related to healthcare payments.
This type of data is particularly valuable to cybercriminals because it can be used for identity theft, insurance fraud, and targeted phishing attacks. Health information, unlike credit card numbers, cannot simply be cancelled and replaced, making it a permanent risk to affected individuals.
What Should ManageMyHealth Users Do?
If you are a ManageMyHealth user, consider taking the following precautions:
Monitor your accounts: Keep a close eye on your medical records and health insurance statements for any unauthorized access or fraudulent activity. Look for appointments you didn’t book or prescriptions you didn’t request.
Be alert for phishing: Expect an increase in targeted phishing emails that may reference your medical information to appear legitimate. Be extremely cautious about any communications claiming to be from healthcare providers requesting personal information or payment details.
Change your passwords: If you use the same password for ManageMyHealth as you do for other online accounts, change those passwords immediately. Use unique, strong passwords for each service.
Consider a credit freeze: With access to your personal details, criminals could potentially open accounts in your name. A credit freeze prevents new accounts from being opened without your explicit authorization.
Watch for official communications: ManageMyHealth and the relevant health authorities will likely provide official guidance to affected users. Pay attention to legitimate communications from these sources while being wary of impersonators.
The Growing Threat to Healthcare
This incident highlights the increasing vulnerability of healthcare IT systems to ransomware attacks. Healthcare providers hold vast amounts of sensitive data, making them lucrative targets for cybercriminals. The sector’s increasing digitization, while offering many benefits for patient care, also expands the attack surface for threat actors.
Healthcare organizations often face particular challenges in defending against cyber threats due to legacy systems, limited IT security budgets, and the critical nature of their operations which can make them more likely to pay ransoms to restore services quickly.
New Zealand’s Broader Cybersecurity Picture
This attack comes at a time when New Zealand organizations across all sectors are facing increased cyber threats. The country’s relatively small size and geographic isolation do not provide protection in the digital realm, where attackers can operate from anywhere in the world.
New Zealand’s National Cyber Security Centre (NCSC) has repeatedly warned organizations about the rising threat of ransomware and urged them to implement robust cybersecurity measures, including regular backups, network segmentation, multi-factor authentication, and employee security awareness training.
What Happens Next?
As of this writing, ManageMyHealth has not issued a public statement confirming or denying the breach. The company’s response in the coming days will be critical. Under New Zealand’s Privacy Act 2020, organizations that experience a privacy breach involving serious harm must notify affected individuals and the Privacy Commissioner.
The January 15 deadline set by the Kazu group means that affected individuals and healthcare providers need to prepare for the possibility that their information could be made public. Healthcare organizations using ManageMyHealth should be reviewing their incident response plans and preparing to support affected patients.
Protecting Yourself Going Forward
While we cannot undo data breaches that have already occurred, we can take steps to minimize future risk. For New Zealanders using online health portals and other digital health services, this incident serves as a reminder to practice good digital hygiene: use strong, unique passwords; enable multi-factor authentication wherever available; be cautious about what information you share online; and regularly review your account activity for anything suspicious.
For healthcare providers and other organizations handling sensitive data, this breach underscores the critical importance of investing in robust cybersecurity defenses, conducting regular security audits, training staff on security awareness, and having comprehensive incident response plans in place.
Resources and Support
If you believe you may be affected by this breach, you can contact:
CERT NZ: New Zealand’s Computer Emergency Response Team provides advice and support for cybersecurity incidents at www.cert.govt.nz or 0800 CERT NZ (0800 2378 69).
Office of the Privacy Commissioner: For concerns about privacy breaches, visit www.privacy.org.nz or call 0800 803 909.
NetSafe: For advice on staying safe online and dealing with online fraud, visit www.netsafe.org.nz or call 0508 NETSAFE (0508 638 723).
This is a developing story, and we will update this article as more information becomes available from ManageMyHealth, health authorities, and cybersecurity researchers tracking the Kazu ransomware group.