WELLINGTON, New Zealand — New Zealand’s Health Minister Simeon Brown has ordered an urgent review after the ManageMyHealth breach exposed documents linked to as many as 126,000 patient portal users. The government move follows a criminal intrusion that the company says was contained but has heightened concern about how sensitive health information is stored and protected, Jan. 10, 2026.
ManageMyHealth breach: what was taken and who was affected
Manage My Health, a privately operated portal used by general practices around the country, says the ManageMyHealth breach was limited to the “My Health Documents” module — a section that stores documents, including files uploaded by patients — and did not compromise appointment, prescription or GP-provided “Health Records” functions. In an update, the company said the incident affected about 6% to 7% of its roughly 1.8 million registered users. For more detail, see Manage My Health’s Jan. 8 cyber breach update.
Officials and reporting indicate the stolen material originated predominantly from Northland and involved documents linked to about 45 general practices in the region, including some clinical discharge summaries and older referral records. The company also said around 355 “referral-originating” practices across multiple regions were implicated, alongside personal health information uploaded by users.
ManageMyHealth breach response: notifications, an injunction and what patients can do
Notification efforts have been rolling out in stages, with the company telling media it had contacted a first tranche of affected users and practices as it verified accounts tied to compromised files. According to 1News’ reporting on patient notifications and the government review, the company also obtained an interim High Court injunction aimed at preventing third parties from accessing, sharing or publishing any stolen data.
While the ManageMyHealth breach investigation continues, cybersecurity specialists and officials have repeated basic protective steps for patients:
Change your portal password (especially if you reuse it elsewhere).
Enable multi-factor authentication where available.
Be alert for phishing — especially messages referencing medical documents or “verification.”
For broader industry context on the incident’s scale and the portal’s role, see Healthcare IT News’ coverage of the Manage My Health hack and RNZ’s initial report confirming the breach.
Why this ManageMyHealth breach is triggering renewed scrutiny
The review comes as New Zealand’s health sector continues to grapple with the aftershocks of previous cyber incidents that exposed how disruptive — and personal — healthcare breaches can be. In 2021, attackers released stolen Waikato District Health Board documents online after a ransomware attack that crippled hospital systems, according to RNZ’s June 2021 reporting on leaked Waikato DHB files. A later analysis pointed to systemwide lessons and recommendations, including preparedness and resilience, in Healthcare IT News’ 2022 coverage of the Waikato DHB review, while a deeper privacy-focused discussion is outlined in the Privacy Foundation’s commentary and addendum on the Waikato incident.
For patients and providers, the immediate question is whether any stolen files will surface despite court action. For policymakers, the ManageMyHealth breach is now a test of whether oversight, vendor assurance and incident response in the digital health ecosystem can keep pace with attackers targeting high-value medical data.
