The Ransom Deadline That Came… And What It Says About Our Health IT System

A looming deadline has come and gone in one of Aotearoa’s most serious cyber security scares in recent years. A group calling itself Kazu claimed to have stolen around 108 gigabytes of sensitive health information from Manage My Health, one of New Zealand’s largest online patient portals – and demanded a $60,000 ransom by 15 January 2026 to prevent the data being published or otherwise misused.

That deadline passed with no public confirmation the ransom was paid – and while Manage My Health and government authorities say the breach has been contained and that there is “no evidence” that core government health systems were compromised, the episode has left many Kiwis uneasy.

The portal, used by millions to manage medical records, prescriptions and appointments, may have had detailed personal data exposed. Reports suggest that between six and seven percent of its 1.8 million users could be affected.

Health Minister Simeon Brown and Health NZ are working with privacy and cyber security officials to understand the effects and protect patients’ privacy, but there is growing frustration about how this breach could have happened.

“A warning the government must take seriously.”

That brings us to wider concerns aired by unions and public sector voices – that this is not just about one private company being attacked, but part of a broader erosion of capability in the health system’s digital defenses.

The Public Service Association (PSA) and other critics have pointed out that over recent years the Government has cut thousands of IT and digital roles across Health NZ and related services. These roles are central to maintaining, upgrading, and safeguarding the systems that support everything from patient records to clinical digital infrastructure.

In Scoop commentary this week, the PSA argued that the Government itself shares responsibility for weakening health IT security by slashing the workforce that would have protected critical systems. They say these decisions – including cuts made in 2024 and 2025 – left digital security teams thinner, legacy systems outdated, and capability gaps unresolved just as cyber threats were rising.

These warnings didn’t start with the Manage My Health breach. Similar concerns were raised when other health IT projects were deferred or digital security funding faced shortages – even as providers highlighted vulnerabilities in outdated platforms.

Critics point to lessons from past ransomware attacks – both here and internationally – showing that healthcare data and systems are prime targets for cybercriminals worldwide. The Manage My Health episode reflects a global trend in which sensitive medical information is considered highly valuable on the dark web and by criminal groups, and ransomware has become one of the biggest drivers of breaches in healthcare.

For the public, the distant government jargon and budget lines can feel abstract – but the risk is real. If personal health information is exposed, individuals could face identity theft, blackmail, or fraud. And at a system level, it erodes trust in digital health tools that are meant to improve access and care.

What needs to happen now?

Public pressure is building for the Government to not only respond to this specific breach – including better transparency on how patient data was exposed and protected – but to rethink broader health IT policy:

• Restore and expand cyber security and digital capability in both public and private health systems.

• Modernise legacy systems and ensure up-to-date encryption, monitoring and incident response.

• Ensure robust oversight and investment, so secure digital health services are not treated as a cost center that can be cut without consequence.

The January Manage My Health deadline may have come and gone without public dramatic headlines – but its implications are ongoing. If Aotearoa wants a health system that is safe, resilient, and future-ready, the lessons now need to be listened to at the highest levels.

Kia tika te tiaki i ngā raraunga – let us look after our data with the same dedication we expect in our clinics and hospitals.

RELATED NEWS

Whānau Ora commissioning changes spark job fears Death in custody Marama Davidson: Privileges Committee Ruling: A Turning Point for Māori Rights?