Overview
- Cyber-security specialists say Manage My Health ignored detailed warnings about weak controls two years ago, including the absence of multi-factor authentication and access to unencrypted files.
- Health NZ signalled it is considering independent assurance for vendors, as industry and officials debate whether self-regulation and low penalties left critical patient data exposed.
- Roughly 120,000–127,000 users were affected after an intruder used a valid password to access the Health Documents module, with the actor ‘Kazu’ claiming 108GB of files and demanding US$60,000.
- Manage My Health’s notifications have been inconsistent, with the company conceding some people were wrongly told they were impacted and patients reporting conflicting messages and overloaded support channels.
- The High Court granted injunctions restricting use or publication of the stolen data, a Ministry of Health review is under way with NCSC and police involved, and no large-scale data release has been observed since the hacker’s deadlines passed.