Manage My Health Data Breach: What We Know So Far
On 29 December, patient portal provider Manage My Health suffered a significant data breach in which health-related documents belonging to a large number of New Zealanders were accessed and exfiltrated. While many details remain unclear, a picture is gradually emerging of the scope of the incident and the questions that still need answers.
Background
Manage My Health is the patient portal component associated with the Medtech ecosystem, particularly Medtech Evolution and Medtech Cloud. Medtech Evolution represents the successor platform to Medtech 32, which for many years was the dominant practice management system used by General Practitioners throughout New Zealand. Today, Medtech retains a substantial share of the New Zealand primary healthcare market.
In 2020, Medtech Global was acquired by Acclivis Group from founder Vino Ramayah. At the same time, Manage My Health was separated from Medtech Global and became an independent company, with Ramayah remaining involved as owner and CEO.
Manage My Health services are generally contracted and paid for by medical practices rather than directly by patients. This raises several questions regarding communications and data ownership, including:
- Should breach notifications be delivered directly by Manage My Health or through affected medical practices?
- What responsibilities exist when a patient leaves a practice?
- How long should patient information remain accessible within the platform?
Who Was Responsible?
The attack has been attributed to a relatively new cybercriminal group known as Kazu.
Public reporting has suggested the group demanded a ransom of approximately NZ$60,000. Compared with many modern ransomware incidents, this figure is relatively low. Cybercriminal groups often seek to maintain credibility among future victims by demonstrating that they honour agreements following payment, although there is never any guarantee that stolen data will be deleted or that attackers will not retain copies.
What Data Was Taken?
According to Manage My Health, approximately 126,000 individuals were affected, with the compromised data consisting primarily of health documents.
Health documents typically include:
- Hospital discharge summaries
- Referral letters
- Specialist correspondence
- Scanned records
- Clinical photographs
- PDF attachments and uploaded documents
Based on information released so far, the breach does not appear to have involved routine clinical data fields such as blood pressure readings, allergies, weight measurements, demographic details, or consultation notes. However, the exact scope of the exposed information has not been fully disclosed.
Kazu has claimed to possess more than 400,000 individual documents, which would be broadly consistent with the reported number of affected patients.
It is important to note that Manage My Health is a private company and is not part of Health New Zealand (Te Whatu Ora). Nevertheless, many of the documents stored within the platform may have originated from Health New Zealand hospitals, specialists, and services.
How Did the Breach Occur?
The precise technical cause has not been publicly confirmed.
In a Telegram conversation reportedly involving a member of the public, Kazu claimed the compromise was made possible through weak access controls within the system.
However, court documents filed by Manage My Health in support of an injunction describe:
“Abnormally high-frequency login activity with repeated authentication attempts and the use of rotating IP addresses to hide the source of attack.”
These statements appear difficult to reconcile with a scenario involving a single authenticated account exploiting a simple access control weakness. Possible explanations include:
- An initial credential attack used to obtain access.
- Multiple compromised accounts.
- A combination of authentication abuse and application-level vulnerabilities.
- Incomplete public information regarding the attack methodology.
At this stage, the available evidence is insufficient to definitively determine the attack path.
Why Were So Many Northland Patients Affected?
A significant proportion of impacted patients appear to be associated with Northland medical practices.
One possible explanation is that Northland practices were among the earliest adopters of the Manage My Health platform, resulting in a larger volume of historical patient documents being stored within affected systems.
Reports have also referenced approximately 355 impacted medical practices. However, it remains unclear whether all of these practices actively used Manage My Health or whether some were implicated because they exchanged referrals and clinical correspondence with participating practices.
Was a Vulnerable API Involved?
While unconfirmed, a leading theory is that an application programming interface (API) exposed weaknesses that enabled large-scale data extraction.
For an attacker to retrieve hundreds of thousands of documents, they would likely have needed a method to systematically enumerate users, documents, or identifiers. This could have occurred through:
- Inadequate authorisation controls.
- Predictable identifiers.
- Excessive API functionality exposure.
- Insufficient rate limiting and abuse detection.
Observations from publicly shared files suggest document names were not sequential, which may indicate the attacker was able to request document collections associated with patients rather than simply guessing file names.
Without access to forensic findings, however, this remains informed speculation rather than a confirmed conclusion.
Was TLS 1.2 Responsible?
Some commentators have pointed to support for TLS 1.2 as evidence of weak security.
This claim is unlikely to be relevant to the breach.
TLS 1.2 remains widely supported across healthcare and government sectors worldwide. Maintaining support for older encryption standards is often necessary to ensure access for patients using older devices, particularly those in lower-income, rural, or elderly demographics.
There is currently no evidence that TLS 1.2 played any role in the compromise.
Would Multi-Factor Authentication Have Helped?
There is currently no indication that user-level multi-factor authentication (MFA) would have prevented this incident.
While MFA remains an important security control and should be enabled wherever possible, the available information suggests the breach may have involved application-level weaknesses rather than attacks against individual patient accounts.
Users should still reset passwords if advised to do so, but there is no evidence that patients could have individually prevented the compromise.
Government Response
The Minister of Health, Simeon Brown, has requested that the Ministry of Health undertake a review of both Manage My Health and Health New Zealand’s response to the incident.
The review is expected to examine:
- The cause of the breach.
- Security controls and oversight.
- Incident response procedures.
- Communication with affected patients and healthcare providers.
- Future safeguards for health information systems.
Lessons Learned
Regardless of the final technical findings, the incident highlights the importance of:
- Strong access controls.
- Continuous monitoring and anomaly detection.
- Effective API security.
- Comprehensive logging and alerting.
- Clear communication pathways during incidents.
- Independent security testing and regular audits.
Based on the information currently available, it appears likely that better monitoring and abuse detection mechanisms could have identified unusual activity earlier and potentially reduced the scale of the data exposure.
The Ransom Question
Whether organisations should ever pay a ransom remains one of the most contentious issues in cybersecurity.
The general consensus among law enforcement and cybersecurity professionals is that ransom payments should be avoided because they fund criminal activity and provide no guarantees regarding data deletion or future extortion.
However, healthcare incidents involve unique considerations, including patient privacy, mental wellbeing, and the sensitivity of exposed medical information.
In this case, some may argue that the relatively modest ransom demand should have been weighed against the potential harm to affected individuals. Others would contend that payment would simply encourage further attacks against healthcare providers and establish a dangerous precedent.
Ultimately, the decision involves legal, ethical, operational, and reputational factors that extend far beyond the monetary value of the demand.
What is clear is that the incident has already generated significant public concern, created substantial reputational challenges for Manage My Health, and highlighted the critical importance of securing New Zealand’s healthcare information systems.