The cyberattack on Manage My Health, a privately owned patient records platform used widely across New Zealand, marked one of the country’s largest privacy breaches in recent memory. Hackers gained unauthorised access to sensitive medical data, including personal and health information, exposing vulnerabilities in systems that underpin everyday healthcare delivery.
Soon after the breach, the attacker—operating under the alias “Kazu”—demanded a ransom of US$60,000, threatening to release stolen data if payment was not made. Samples of the compromised information were briefly posted online, intensifying concern among patients, clinicians and regulators.
In response, Manage My Health sought and obtained a High Court injunction barring anyone from accessing, sharing or distributing the stolen data. Within weeks, online posts referencing the breach disappeared, though the damage to public trust had already been done.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Tracking “Kazu”: An Online Investigation
Behind the scenes, the International Online Crime Coordination Centre (IOC3), a cybersecurity group that monitors global online harm, began tracing the digital footprint of the hacker. The organisation, which focuses on threats ranging from fraud and extremism to child exploitation, says it has now identified the person allegedly responsible.
IOC3 has shared its findings with RNZ and notified authorities, though it has asked that the individual not be named and that operational details remain confidential. Caden Scott, the group’s executive director, said caution was essential.
“We’re mindful that we’re still looking into this individual,” Scott said. “We don’t want to mistakenly drive this person underground by making them aware that there are these kinds of investigations ongoing.”
Scott said the alleged hacker had carried out multiple attacks globally, suggesting the Manage My Health breach was part of a broader pattern rather than an isolated incident.
Ransomware, Health Data and Ethical Pressure
The case highlights a recurring dilemma for healthcare organisations targeted by ransomware: whether to pay to prevent sensitive data from being released. Health records are among the most intimate forms of personal information, and their exposure can have lasting consequences.
“When you look at healthcare institutions, they often don’t really have that choice,” Scott said. “This is very sensitive information, so a lot of times it feels like doing whatever possible to stop it getting out.”
Yet Scott warned against paying ransoms, arguing that compliance offers no guarantee of protection. Hackers may still sell or leak the data after receiving payment, turning victims into repeat targets.
Instead, he urged organisations to work with law enforcement, even if that path feels slower and more uncertain.
Authorities Urge Caution on Attribution
New Zealand’s National Cyber Security Centre (NCSC) confirmed it was aware of public claims identifying those behind the Manage My Health attack and said it was working closely with police, Health New Zealand and other agencies to limit further harm.
Mike Jagusch, the NCSC’s chief operating officer, stressed that formally attributing cyberattacks is a complex and deliberate process.
“Attribution requires significant analysis to have the necessary level of confidence,” Jagusch said. “Public attribution is a whole-of-government decision and is undertaken when it is in the national interest.”
As investigations continue, the breach has become a stark case study in the risks facing digital healthcare systems—where vast amounts of sensitive data, limited tolerance for disruption and evolving criminal networks intersect. For New Zealand, and for healthcare providers globally, the episode underscores how cyber incidents now extend far beyond technical failures, touching on ethics, trust and the limits of digital security.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
