Thousands of registered patients are waiting nervously to find out if their private medical information has fallen into the wrong hands following a major security incident at ManageMyHealth, a health records platform used across Australia and New Zealand.
The Auckland-based company discovered on December 30 that cybercriminals calling themselves Kazu had broken into their systems and stolen approximately 108 gigabytes of patient information.
Users first learned something was wrong when they opened the ManageMyHealth website or mobile app and saw a notice about a cybersecurity investigation underway.
The company didn’t send direct notifications to affected individuals, leaving patients and doctors to piece together what happened through social media posts and subsequent media coverage.
Since launching in 2008, ManageMyHealth says it has accumulated 1.85 million registered patients. According to a FAQ posted days after the incident, somewhere between six and seven per cent of users—roughly 111,000 to 129,500 people—have had their data compromised.
The platform has been secured and is safe to use again, according to the company, though the mobile app remains disabled. ManageMyHealth is urging people not to engage with Kazu and has obtained a High Court order preventing third parties from accessing any stolen information.
Despite Kazu’s reputation as a ransomware operation, the breach appears to have resulted from security weaknesses in ManageMyHealth’s access controls.
CEO Vino Ramayah explained to Radio New Zealand that attackers gained entry “through the front door using a valid user password,” accessing a single system component containing health documents from specialist referrals.
The criminals are demanding $89,230 for the stolen data—more than 420,000 records—and have shared sample patient files while communicating via Telegram.
In their own statement, Kazu said they intentionally focus on healthcare organisations because they understand how valuable and sensitive medical data is.
Ramayah wouldn’t confirm whether his company plans to pay, but revealed his own medical records were among those stolen.
Health Minister Simeon Brown has ordered an official investigation into the incident to determine what went wrong and whether ManageMyHealth had appropriate safeguards in place.
However, even if the company is found negligent, New Zealand privacy laws cap penalties at just NZ$10,000 (A$8600)—far below Australia’s maximum fines of $50 million or 30 percent of annual revenue for serious breaches.
The company, which has offices in Melbourne and Chennai, India, operates a platform that lets doctors share diagnoses and test results with patients, who can then view their records online, schedule appointments, request prescriptions, and access partner services.
