Written By:
- Date published:
9:39 am, January 6th, 2026 - 12 comments
Categories: budget 2025, health, simeon brown -
Tags: Health NZ, Lester Levy, Manage My Health, Vino Ramayah
Today is the deadline for the Manage My Health data breach ransom of USD$60,000.
According to reports, some of the stolen files show Kiwis in various states of
undress, including naked, clinical photos, passports, medication/diagnosis info documenting psychiatric and mental health concerns etc.
Other data stolen includes email addresses, phone numbers, addresses, NHI etc.
Manage My Health has claimed that approximately 6-7% of its 1.8 million users have been affected – that’s up to 126,000 Kiwis, if they are right.
According to cyber experts, private health records have been much more lucrative than credit card information for many years now:
Cybersecurity firm Trustwave pegged the black-market value of medical records at US$250 (PDF) each. Credit card numbers, on the other hand, sell for around US$5 each on the dark web, according to both sources, while Social Security numbers can be purchased for as little as US$1 each.
The breach here, considered NZ’s largest, not only exposes significant privacy breaches for Kiwis, but depending on the condition and patient, it exposes Kiwis to blackmail, theft, and inevitable mental stress.
Simeon Brown has been missing in action for most of the event, having last week downplayed the breach as “having no clinical impact”. Brown went to ground after this statement last week:
“I expect ManageMyHealth will continue to keep the public informed as more
verified information becomes available and will put appropriate
measures in place to ensure patient safety and privacy are protected and
given the highest priority.”
Last week, Manage My Health kept iterating it was soon to contact affected patients, with communication expected “next week”. But yesterday, they again pushed that date out, saying they are still preparing to communicate.
Incredulously, Manage My Health only confirmed the security “code issue” was resolved days after the original hack.And cyber expects accused the company of using “outdated encryption protocol” in a “catastrophic breach”.
GPs also continued to express frustration and concerns as the company went to ground, unchallenged.
And last night on 1News, Jason Walls once again did a serious journalistic disservice to Kiwis by helping Simeon Brown downplay the response and not answering the important questions.According to Manage My Health’s CEO Vino Ramayah, and Health Minister Simeon Brown, the company is acting responsibly by applying for a High Court injunction.
At no point did Walls or Brown or Ramayah focus on the substantive points that matter:
And while Simeon Brown has now buckled to increasing public pressure and ordered an “independent inquiry,” it’s hard to not remember that National Party inquires never appear independent
(The $500,000 paid to Bill English for an “independent” state housing review comes to mind, so too more than $500,000 paid to Sunny Kaushal’s group for recycling tired, old ideas on retail crime previously offered to Labour for free).
No-one chooses to be hacked, but the responsibility of the organisation is to ensure updated safety protocols, and sufficient IT investment/staffing to stabilise and secure environments.
According to an interested party who was interviewed for a related RNZ article:
What is clear is that Simeon Brown has been roundly supportive of Manage My Health and initially tone deaf on the situation, until public pressure grew.
He has also failed to speak about the pertinent issues at stake – IT security for New Zealanders’ health records, and accountability.
Manage My Health’s breach brings to focus the “aspirational” and robust $2 billion cuts from Health NZ in National’s first year, and the additional $500 million public health cut Simeon Brown just announced over the Christmas period.
Let’s not forget that Lester Levy also cut IT projects that were years in the making to upgrade and improve HNZ’s legacy technology, leaving our IT upgrades short and our systems in the “dark ages”- plus the ~50% cut to Health NZ’s IT and data teams that not only affect front line services, but leaves data and patient safety at risk.
A move to “save money” while entrepreuners such as Aratataki Health’s Cecilia Robinson tout private capability to run public health data may not be wise at all.
And any “independent” review that excludes specifying public health security standards across private or public health entities, would be a farce.
Onya MT. With another( in keeping with the NZ Health theme) very surgical expose of National/Simeon, and the Health Ministers attempted minimising of this quite worrying situation.
I am following this….will be interesting to see how it pans out? (as you say the previous Blinglish KO "review" was purely a stamping exercise)
Take care, and Power to you !
As a public servant for an extended time, it has always seemed to me that the job of workers in the public sector is to protect ones upline from embarrassing faux-pas, and this trickles it's way to the very top. The net effect is to stop the ship hitting a reef (save for the odd exception in Samoa).
The job of workers in the private sector is to help ones upline to maximize profits.
So, as much as we need to ask this company why it felt that 20 year old security IT was adequate, we need to ask Simeon Brown if he imposed minimum standards as the public health system moved towards outsourcing, and whether appropriate monitoring was put or kept in place.
If there are no minimum standards to meet, the company is just doing what companies do. The doctors who rely on the company might have claims on what they thought was expert advice/service, but the public at large should vent it's collective spleen at the people our taxes pay for to ensure safeguards are kept to an appropriate level.
If the safeguards are there, then the public should vent it's spleen at the people our taxes pay for to monitor the safeguards
If all of the above is in place and operating as it should then by all means point the finger only at the company, but one wonders if all is in place and operating well, how the outdated security system was able to thrive.
Brown can't only focus the inquiry on the company's systems. It has to involve someone independently gazing at his navel, too. But, I bet it doesn't.
Yes and remember Levi, Thinker. Great experienced comments,
The rot is at the core and top.
Mountain Tui – I agree with your opinion of Jason Walls, as expressed in your linked article "Jason Walls' Disservice". The photo in the article says a lot.
Your comments below sum up my impression of his superficial reporting:
"In my opinion, Jason Walls isn’t demonstrating that he is in any way attempting to undertake journalism, and his presentations consistently sound more like National Party favourable press releases than any genuine attempt to inform the public, to me".
This does not bode well for objective, informative political/economic coverage on NZ's state broadcaster, as Walls demonstrated again last night.
It's the oppositions job to put the blowtorch on browns belly till done.
Granny is an extension of the national PR machine and Jason Walls wouldn't know what actual journalism is and unlikely to find anyone around him that does as they appear to excel at keeping govt talking points out there rather than facts.
Did MyHealth have non current data from patients who's GP's swapped to other providers like MyIdici ? there are many questions to be answered by Minister Brown.
Big job = big responsibility. Step up to the plate, answer real questions or step down Minister and own the work you, Shane and Lester are so proud of.
I agree this breach is serious and that MMH’s security posture was probably inadequate. But it’s also worth saying this has been a long time coming, and a lot of the analysis around it has missed the deeper issue.
In New Zealand, health data isn’t subject to any special security regime. MMH, GPs, and Te Whatu Ora are all governed by the same Privacy Act standard: taking “reasonable safeguards”. There’s no NZ equivalent of HIPAA, and no mandated technical controls specific to health data. Whether MMH met that threshold is still unclear and depends on facts we don’t yet have.
A lot of the commentary also seems to assume there’s some single, standard set of controls that makes an organisation “safe”. That’s just not how cybersecurity works. Security is contextual and adversarial. Attackers adapt constantly, and defenders are always responding to the last exploit. Controls like encryption, TLS, or 2FA are necessary, but never sufficient.
There is no checklist you can tick that eliminates risk.
In practice, breaches of this scale are rarely about someone “hacking the database” or a single bad crypto decision. Much more often they start with credential compromise — spear phishing, credential stuffing, MFA fatigue, session token theft: especially if identity and access controls aren’t strong or consistently enforced.
Even with 2FA in place, there are well-known attacks designed to bypass it.
Where MMH clearly deserves strong criticism is in its response. Slow, shifting communication and reliance on legal mechanisms do nothing to reduce harm for affected patients. That alone points to weaknesses in governance and incident readiness, regardless of the initial breach vector.
Stepping back, this is also a symptom of a broader structural failure in our health system. We’ve had an overly myopic focus on delivering clinicians and appointments, all the while underinvesting in the systems that make those services safe and sustainable.
Primary care in particular has been chronically underfunded, including the digital and security capability needed to safely manage sensitive data at scale.
If we want higher standards for health data security (and there is a strong case for that) it can’t just be about blaming one vendor or mandating new technical rules. It requires technologically literate ministerial leadership and sustained investment to lift capability across the sector.
Without that, we’ll keep repeating this cycle, regardless of who the vendor is.
A lot of the commentary has noted that MMH is reported to have under-invested in security protocols and staffing, and while that hasn't occurred, it may lead to answers as to why they didn't even have 2FA, which while not a catch all, as no system is impenetrable, but is a reflection of status and standards.
Secondly, public health data is separate to this but there are relationships between this and Simeon Brown / Shane Reti's chainsaw to ~50% of data and IT staff and Lester Levy's termination of multiple IT projects.
Having said all that, since publication, MMH's CEO has said the hackers were able to enter via a user ID and password – which raises further questions here on security management protocols.
Love your work.
Thanks MT! It’s always a thrill to get a hat tip from a real professional 🙂
One of the core problems with user IDs and passwords is reuse. People reuse credentials across services, often unknowingly, and there’s very little a vendor can do to fully mitigate that short of mandating and enforcing randomly generated passwords via a password manager.
Even then, that simply shifts the risk: if the password manager or endpoint is compromised, the attacker potentially has the keys to the kingdom. Identity is now the primary attack surface, which is why credential compromise is such a common breach vector.
What isn’t clear yet, and really matters for attribution and accountability, is whether the compromised credentials belonged to an MMH staff member, or to someone external, such as a user at a GP practice or another connected organisation.
Until that’s known, it’s difficult to draw firm conclusions about where the security control failure actually sat.
That said, the absence of MFA, while not necessarily the direct cause of the breach, is still a strong indicator that their overall security posture was, at best, woefully inadequate.
National's Health Minister Simeon's minimisation? Meet "one" (of many) of the affected..
And in a classic "I'm a victim too" the MMH CEO weeps while playing a very small violin…
All while doubling..down.
And here we have the crux of it….National Health Mini Minister blames "someone else" but PSA points to the obvious…NACT1's cuts ! Its what you get when driving NZ's Health System to the wall. Which is surely their endgame !
I had to repeat an information request to the Minister three times before it was properly answered. I have two active complaints with the Ombudsman over the Minister refusing to provide requested information (and a couple active re Te Whatu Ora). Which officials does the Minister of Health blame for his own refusal to answer requests?
Since there have been Ministers..and Officials…ages back. However NACT1 have taken it to Nth level : (