Manage My Health Cyber Breach

Important update about your health information

Dear Whaanau (patients),

We acknowledge the recent cybersecurity breach at ManageMyHealth (MMH) and recognise the distress and concern this news will be causing.

What happened?

On 30 December 2025, MMH identified unauthorised ransomware activity within the My Health Documents module of the ManageMyHealth app. This activity was the result of a criminal cyberattack.

Once detected, MMH secured its systems, isolated the affected environment, and engaged independent cybersecurity and forensic specialists. They have also notified and are cooperating with Health New Zealand, the Privacy Commissioner, New Zealand Police, and other relevant authorities.

Is ManageMyHealth still safe to use?

In short, yes. MMH has confirmed that the services connecting ManageMyHealth to general practice systems were not impacted by this incident. Clinical systems, practice management systems, and day-to-day clinical workflows remain secure and unaffected. There has been no impact on practice-held patient records.

MMH has also advised that there is no evidence of ongoing unauthorised access and that the incident has been contained. Additional safeguards have been put in place, and their systems are currently secure.

MMH is encouraging enabling two-factor authentication and updating your password (if you haven’t already been prompted to do so).

Turuki Health Care takes your privacy and confidentiality seriously. We also partner with Netcare as our specialist IT and cybersecurity provider to help strengthen and continuously improve the security of our own clinical and business systems, to keep patient data safe. We will continue to monitor this situation and be further reviewing our own information security in line with any findings from this third-party incident.

Do we have any patients affected by the cyber incident?

Yes, we have some patients that have been affected by the hacking. These patients are being contacted in tranches by the MMH team to let them know they were affected, next steps, and to offer appropriate support.

Why have we not notified affected patients ourselves?

The Office of the Privacy Commissioner (OPC) has asked for a co-ordinated approach to notification rather than having hundreds of individual practices undertake the process; therefore, the OPC has asked MMH to manage the notification process. We have to respect the wishes of the government and follow due process.

When will the notification of patients start?

MMH has told us that the notification process to affected patients started today, Thursday 8 January and is likely to take up to a week to complete given the sheer size and scale of the breach.

So far around 50,000 patients have been contacted. The next tranche of notifications will begin at 8.30am tomorrow morning. To reach the full list but will take several days to complete while contact details are gathered.

MMH has made updates to its website with an “account security status” notification. A green box (as per the image below) means the account has not been accessed. If it has a “red” security status note the account has been affected and a reference number will be provided and the 0800 number to ring for further support.

Summary of key points

ManageMyHealth has indicated that it is taking responsibility for notification to individuals who have had personal information disclosed as a result of their cyber security incident.
Anyone concerned about whether information may have been disclosed will be contacted by ManageMyHealth directly.
Health providers do not have sufficient details about the individual information involved in order to provide you with any useful information at this stage.
It is appreciated that this is a difficult and unsettling situation, it is important that individuals who might be affected are provided with accurate and certain information, and only ManageMyHealth can provide that at this stage.

Taking care of your wellbeing

It’s important to look after yourself during this time. Here are some ways you can support your mental health and wellbeing:

Talk to someone you trust about how you’re feeling

Limit how much time you spend reading about the breach if you notice it increases your anxiety

Stick to routines that support your wellbeing, such as physical exercise, social connection, gardening, crafts, cooking, or taking part in your usual activities

Use calming strategies like breathing exercises or grounding techniques to help manage stress.

If you continue to feel distressed or overwhelmed, free wellbeing support services in Aotearoa

Call or text 1737 to talk with a trained counsellor, free, anytime

Suicide Crisis Helpline – 0508 828 865 (0508 TAUTOKO)

Mental Health Emergency Team – 0800 467 846

If you have concerns or need reassurance, please contact us, we are here to awhi and support you.

Ngaa mihi nui,

Turuki Health Care

Dear Whaanau (patients),

We acknowledge the recent cybersecurity breach at ManageMyHealth (MMH) and recognise the distress and concern this news will be causing.

What happened?

On 30 December 2025, MMH identified unauthorised ransomware activity within the My Health Documents module of the ManageMyHealth app. This activity was the result of a criminal cyberattack.

Once detected, MMH secured its systems, isolated the affected environment, and engaged independent cybersecurity and forensic specialists. They have also notified and are cooperating with Health New Zealand, the Privacy Commissioner, New Zealand Police, and other relevant authorities.

Is ManageMyHealth still safe to use?

In short, yes. MMH has confirmed that the services connecting ManageMyHealth to general practice systems were not impacted by this incident. Clinical systems, practice management systems, and day-to-day clinical workflows remain secure and unaffected. There has been no impact on practice-held patient records.

MMH has also advised that there is no evidence of ongoing unauthorised access and that the incident has been contained. Additional safeguards have been put in place, and their systems are currently secure.

MMH is encouraging enabling two-factor authentication and updating your password (if you haven’t already been prompted to do so).

Turuki Health Care takes your privacy and confidentiality seriously. We also partner with Netcare as our specialist IT and cybersecurity provider to help strengthen and continuously improve the security of our own clinical and business systems, to keep patient data safe. We will continue to monitor this situation and be further reviewing our own information security in line with any findings from this third-party incident.

Do we have any patients affected by the cyber incident?

Yes, we have some patients that have been affected by the hacking. These patients are being contacted in tranches by the MMH team to let them know they were affected, next steps, and to offer appropriate support.

Why have we not notified affected patients ourselves?

The Office of the Privacy Commissioner (OPC) has asked for a co-ordinated approach to notification rather than having hundreds of individual practices undertake the process; therefore, the OPC has asked MMH to manage the notification process. We have to respect the wishes of the government and follow due process.

When will the notification of patients start?

MMH has told us that the notification process to affected patients started today, Thursday 8 January and is likely to take up to a week to complete given the sheer size and scale of the breach.

So far around 50,000 patients have been contacted. The next tranche of notifications will begin at 8.30am tomorrow morning. To reach the full list but will take several days to complete while contact details are gathered.

MMH has made updates to its website with an “account security status” notification. A green box (as per the image below) means the account has not been accessed. If it has a “red” security status note the account has been affected and a reference number will be provided and the 0800 number to ring for further support.

Summary of key points

ManageMyHealth has indicated that it is taking responsibility for notification to individuals who have had personal information disclosed as a result of their cyber security incident.
Anyone concerned about whether information may have been disclosed will be contacted by ManageMyHealth directly.
Health providers do not have sufficient details about the individual information involved in order to provide you with any useful information at this stage.
It is appreciated that this is a difficult and unsettling situation, it is important that individuals who might be affected are provided with accurate and certain information, and only ManageMyHealth can provide that at this stage.

Taking care of your wellbeing

It’s important to look after yourself during this time. Here are some ways you can support your mental health and wellbeing:

Talk to someone you trust about how you’re feeling

Limit how much time you spend reading about the breach if you notice it increases your anxiety

Stick to routines that support your wellbeing, such as physical exercise, social connection, gardening, crafts, cooking, or taking part in your usual activities

Use calming strategies like breathing exercises or grounding techniques to help manage stress.

If you continue to feel distressed or overwhelmed, free wellbeing support services in Aotearoa

Call or text 1737 to talk with a trained counsellor, free, anytime

Suicide Crisis Helpline – 0508 828 865 (0508 TAUTOKO)

Mental Health Emergency Team – 0800 467 846

If you have concerns or need reassurance, please contact us, we are here to awhi and support you.

Ngaa mihi nui,

Turuki Health Care

Manage My Health

Important update about your health information

Contact us

Contact us

Contact us