What happened
Hackers demanded a ransom after a major New Zealand health data breach, compromising the Manage My Health portal. Identified on 30 December 2025, the attack exposed medical records of approximately 108,000–126,000 users. Threat actors operating under the name “Kazu” threatened to release over 400,000 files unless US$60,000 was paid. Compromised data included medical records, prescription information, diagnostic results, and personal contact details. Authorities and New Zealand Health Minister Simeon Brown initiated urgent reviews, while cybersecurity experts warned about identity theft and fraud risks. Exploitation leveraged unauthorized portal access, but technical specifics of the breach have not been fully disclosed.
Who is affected
Patients registered with Manage My Health, general practitioners, and healthcare organizations face direct exposure, with potential indirect impact on wider healthcare services and public trust.
Why CISOs should care
Health record breaches risk identity theft, regulatory non-compliance, and reputational damage, emphasizing the need for robust access controls and incident response in healthcare systems.
3 practical actions
Review access controls: Audit authentication and authorization policies for health data portals.
Enhance monitoring: Detect anomalous access patterns or large data exports in healthcare systems.
Prepare patient notification protocols: Establish communication strategies and support mechanisms for affected individuals.