The repercussions of the Manage My Health data breach are still unfolding, with the company cautioning that cybercriminals may now be targeting affected users by posing as the online patient portal.

Manage My Health, which runs a widely used digital health platform across New Zealand, has confirmed that the majority of individuals impacted by the incident have been notified. At the same time, the organization has raised concerns that opportunistic criminals are attempting to exploit the situation by circulating phishing or spam messages designed to look like official communications from Manage My Health.

“We’re also aware that secondary actors may impersonate MMH and send spam or phishing emails to prompt engagement. These communications are not from MMH,” the company said in a statement. It added that steps are being examined to curb this activity, alongside issuing safety guidance to help users avoid further harm.

The cyberattack, which took place toward the end of last year, involved unauthorized access to documents stored within a limited section of the platform. According to reports, the attackers demanded a ransom of several thousand dollars, threatening to publish sensitive data on the dark web. Had this occurred, personal medical information belonging to more than 120,000 New Zealanders could have been exposed.

Manage My Health clarified that core services remained unaffected by the breach. Live GP clinical systems, prescriptions, appointment bookings, secure messaging, and real-time medical records were not compromised. The intrusion was restricted to documents housed in the “My Health Documents” feature.

The affected files included user-uploaded materials such as correspondence, medical reports, and test results, along with certain clinical documents. These clinical records consisted of hospital discharge summaries and clinical letters linked to care provided in Northland Te Tai Tokerau. After detecting suspicious activity, the company said it swiftly locked down the affected feature, prevented further unauthorized access, and activated its incident response protocols. Independent cybersecurity experts were brought in to assess the breach and verify its extent.

Manage My Health has since confirmed that the incident is contained and that testing shows the vulnerability has been fully addressed.

The company acknowledged that its early response resulted in some users being contacted before the full scope of the breach was understood. “When we first identified the breach, our priority was to promptly inform all potentially affected patients,” it said, explaining that this precautionary approach meant some individuals were later found not to be impacted.

Those users were subsequently advised that their data was not involved. Individuals can also verify their status by logging into the Manage My Health web application, where a green “No Impact” banner confirms no exposure.

Notification efforts are continuing, with the company citing the complexity of coordinating communications across patient groups, regulators, and data controllers while meeting obligations under the New Zealand Privacy Act.

The breach has drawn regulatory attention, with the Office of the Privacy Commissioner (OPC) launching an inquiry into the privacy implications of the incident. Manage My Health said it is cooperating closely with the OPC, Health New Zealand | Te Whatu Ora, the National Cyber Security Centre, and the New Zealand Police.

As part of its response, Manage My Health successfully obtained an interim injunction from the High Court, preventing any third party from accessing, publishing, or sharing the compromised data.

The company is also monitoring known data leak sites and stands ready to issue takedown notices if any information surfaces online. Additional steps include resetting compromised credentials, temporarily disabling the Health Documents module, and maintaining continuous system monitoring while wider security improvements are implemented. An independent forensic investigation is still underway, though the company has declined to disclose specific technical details at this time.

Manage My Health has reiterated that it will never request passwords or one-time security codes and has urged users to be cautious of unsolicited or urgent messages claiming to be from the platform.

Anyone contacted by individuals alleging they possess health data is advised not to engage and to report the matter to New Zealand Police via 105, or 111 in an emergency, and to inform Manage My Health support. To further assist users worried about identity misuse, the company has partnered with IDCARE to provide free and confidential cyber and identity support across Australia and New Zealand.

“We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident may have caused,” Manage My Health said, adding that it remains committed to transparency as investigations into the cyberattack on Manage My Health continue.