Wellington: New Zealand’s online patient portal Manage My Health (MMH) has warned that fraudsters may now attempt to contact customers following a major data breach, urging users to remain alert to phishing and impersonation attempts.
In a statement, MMH said it has notified most people affected by the data theft that occurred late last year but cautioned that so-called “secondary actors” could exploit the breach by posing as the company. These actors may attempt to contact users through spam or phishing emails designed to prompt engagement or extract sensitive information.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
“We’re aware that secondary actors may impersonate MMH and send spam or phishing emails. These communications are not from MMH,” the company said, adding that it is investigating steps to limit such activity and has issued guidance to help users protect themselves.
The breach has attracted national attention after cybercriminals demanded a ransom of several thousand dollars, threatening to release the stolen data on the dark web if payment was not made. The compromised information could potentially expose the medical details of more than 120,000 New Zealanders, raising serious concerns over patient privacy and data security.
MMH acknowledged that some individuals initially contacted during the early stages of its response were later found not to have been affected by the breach. “We are progressing through the notifications, with a large proportion of affected patients having now received a notification email,” the organisation said. “Our priority remains notifying the remaining affected patients and ensuring they receive appropriate support.”
The company said it is working closely with the Office of the Privacy Commissioner, which this week announced a formal inquiry into the privacy aspects of the breach. The inquiry will assess how the incident occurred, whether adequate security safeguards were in place, and if the company met its obligations under New Zealand’s privacy laws.
While the hackers had earlier issued deadlines and threatened to publish the data, there has been no further communication or public release of the stolen information since the last reported deadline passed on January 9. Authorities have cautioned, however, that the absence of further threats does not necessarily mean the risk has ended.
Cybersecurity experts warn that the period following a major breach often sees a surge in follow-up scams, with criminals exploiting fear and confusion among affected users. Such scams may seek to obtain passwords, financial information or identity documents under the guise of official communication.
Users have been advised to carefully scrutinise emails, messages or phone calls claiming to be from Manage My Health, avoid clicking on unsolicited links, and verify any communication through official and trusted channels. MMH has reiterated that it will not ask users to provide passwords, banking details or payment information.
The incident has also renewed scrutiny of cybersecurity standards in the health technology sector, particularly for privately operated platforms that handle highly sensitive medical data. Critics argue that regulatory gaps and limited enforcement have left patient information vulnerable, while privacy advocates are calling for stricter penalties, mandatory security audits and clearer accountability mechanisms.
MMH said it continues to cooperate with regulators and external cybersecurity experts as investigations continue. As the Privacy Commissioner’s inquiry progresses, the breach is expected to have broader implications for data protection practices across New Zealand’s digital health ecosystem, with policymakers under increasing pressure to strengthen safeguards against future cyberattacks.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
