New Zealand health minister Simeon Brown has ordered a review into the cyberattack at ManageMyHealth, which threatens the data of hundreds of thousands of Kiwis.

Brown told reporters on Monday that he asked the government to begin reviewing the incident, including its cause, scope, the company's defenses, and the wider impacts to data access across the country.

ManageMyHealth is a private company that offers a platform used by medical facilities across New Zealand to access patient health records. According to its website, it handles the data for around 1.85 million locals, and the breach affected an estimated 6-7 percent of them.

"This breach of ManageMyHealth data is incredibly concerning, particularly to the over 100,000 patients and their families who have had their very most personal data, which is their health data, breached through this incident," Brown said.

"It's an incredible concern to the government and to Health New Zealand, and the government is throwing a significant amount of resource at addressing this and supporting ManageMyHealth as they respond to this incident."

Brown emphasized this information represents deeply intimate patient details. He added that regardless of whether the data is maintained by public or private organizations, it requires the highest level of security and privacy safeguards, and the nation must significantly improve its handling of such sensitive information.

A fact sheet posted to ManageMyHealth's website states the company believes the incident is contained, and digital forensics experts are now combing the evidence to establish the full extent of the attack.

"Our immediate priority is safeguarding the integrity and security of our systems," said ManageMyHealth. "We are working with independent cybersecurity specialists, the Privacy Commissioner, the New Zealand Police, and Health New Zealand to coordinate our response. We have implemented additional monitoring and security improvements."

A miscreant going by the name Kazu claimed responsibility for the attack via a cybercrime forum post on December 30. They said the stolen data included more than 428,000 files, which would be opened up for sale if ManageMyHealth did not pay the $60,000 ransom demand by January 15.

However, on Telegram, Kazu said on January 3 that all the data would be released within 48 hours if the company did not pay.

New Zealand's official stance on paying ransoms mirrors that of its Western geopolitical allies: do not do it.

Kazu released snippets of the data via Telegram, although the links were flagged as abuse material on the file-sharing site and are no longer usable.

IT consultant Cody Cooper, who told RNZ he investigated the data involved before the links were taken down, said it includes passport scans, details of patients' conditions, nude images, and more.

• Cybersecurity pros admit to moonlighting as ransomware scum
• Death, torture, and amputation: How cybercrime shook the world in 2025
• Around 1,000 systems compromised in ransomware attack on Romanian water agency
• Russian hackers debut simple ransomware service, but store keys in plain text

ManageMyHealth refused to "speculate" on what kinds of data were included, saying that efforts are still underway to determine what was downloaded and/or accessed.

It stated: "'Accessed' means an unauthorised party may have viewed or opened files. 'Downloaded' means files were copied out of the environment. Independent forensics are being used to confirm what was accessed and what may have been downloaded.

"We will not speculate about what was accessed or by whom. Our priority is to confirm what happened, protect data, and provide affected people with information that is correct."

Brown told media that ManageMyHealth applied for an injunction on Monday to prevent the dissemination of any data that the cybercriminal releases.

The company advised users to regularly change their passwords and use authentication apps for multi-factor protection.

It also said it would never ask for passwords or one-time codes over the phone, and users should be wary of potential scams targeting them.

"We are still investigating what information may have been accessed," the company said. "In general, personal information can sometimes be misused for identity theft or scams. 

"If we confirm that your information was affected, we will notify you directly. As a precaution, we recommend following online safety best practices." ®