A Government-commissioned cyber security review has found serious security failings inside the Manage My Health platform before one of the largest health data breaches in New Zealand history.
The independent review, prepared by CyberCX for the Ministry of Health, examined the cyber attack that struck the privately-owned patient portal in late December 2025. Hackers accessed sensitive patient records, with claims more than 400,000 files containing medical information, prescriptions and personal documents were stolen.
The report says Manage My Health was unprepared for an incident of this scale and had major weaknesses in its cyber security systems, including failures in application security, monitoring and risk management.
Investigators found the breach began after hackers used stolen login details linked to malware and then exploited weaknesses in the platform’s application programming interface, allowing access to patient documents.
The review says stronger technical protections, including better access controls and multi-factor authentication requirements, may have prevented the attack or reduced its impact.
The report also criticised wider health sector oversight, saying stronger cyber risk checks should have been applied to third-party providers handling sensitive health data.
Nearly 100,000 people were ultimately confirmed as affected by the breach after initial estimates were revised during the investigation process.
CyberCX described the incident as a wake-up call for the health sector and warned similar attacks could happen again unless security standards and supplier oversight are significantly strengthened.
The review made 12 recommendations, including further penetration testing, stricter compliance checks, stronger supplier monitoring, and improved breach notification procedures across the health system.
#CyberSecurity #ManageMyHealth #DataBreach #NZHealth #HealthData #CyberAttack #Privacy #Aotearoa #MinistryOfHealth #RadioWaatea
