More than 80,000 Northland residents had their medical records stolen in a ransomware attack on New Zealand's largest patient portal. The breach exposed sensitive health documents including hospital discharge summaries, clinical letters, and referral notifications dating back to 2017.
Health NZ confirmed 86,000 people in Northland were impacted, representing over 70 percent of total affected patients nationwide. The ransomware group Kazu demanded US$60,000 (NZD$105,000) after stealing hundreds of thousands of medical files from the privately-operated Manage My Health portal.
The cyber incident affected 6-7 percent of the platform's 1.8 million registered users, limited to the "My Health Documents" module. Court documents revealed 45 GP practices in Northland were included in the data breach, with the region being the only area where Health NZ uses Manage My Health to share information with patients.
Patients reported being unable to access information about their compromised data due to website crashes and overloaded helplines. The 0800 support number repeatedly disconnected callers, while the patient portal displayed "temporarily unavailable" messages throughout the notification period.
Manage My Health has notified approximately half of the 120,000 affected patients since the breach was detected on December 30. The company acknowledged technical difficulties but said the notification process "cannot be simplified" due to separate patient cohorts requiring different handling approaches.
Health NZ group director of operations for Northland Alex Pimm said the organization is seeking funding to allow general practices to provide consultation and mental wellbeing support. Affected patients will receive access to an 0800 support line for discussing their clinical information.
The College of GPs labeled Manage My Health's response "shambolic, frustrating and slow." President Luke Bradford noted practices received conflicting information, with some told patient counts but not names, while others received complete patient lists.
Cyber security expert Vimal Kumar from Waikato University's Cyber Security Lab criticized the nine-day delay in notifications. He pointed to basic security failures, including improperly configured DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocols.
The breach exposed three categories of data: Northland hospital discharge summaries from 2017-2019, patient-uploaded documents like address changes and health measurements, and referral documents. Clinical advisor Emeritus Professor Murray Tilyard confirmed deceased patients were among those affected.
Manage My Health appointed Tilyard as honorary clinical advisor following the breach. His role includes helping practices identify vulnerable patients and contacting next of kin for deceased individuals whose records were compromised.
The ransomware group's latest deadline reportedly passed at 5am on Friday, according to RNZ interviews with Manage My Health. The company declined to comment on whether it would pay the ransom or engage with the hackers.
Patients expressed frustration over contradictory notifications, with some receiving emails stating their data wasn't breached only to receive follow-up messages confirming compromise days later. Many reported being unable to implement recommended security measures like password changes due to system overload.
Privacy concerns escalated as patients realized sensitive information including abuse histories, mental health records, and chronic condition details could now be in criminal hands. The breach raises questions about private companies storing highly sensitive health data without adequate safeguards.
Health NZ emphasized its own systems remain uncompromised but acknowledged the seriousness of any patient information exposure. The organization said it takes "any issue involving patient information very seriously" despite the breach occurring on a third-party platform.
The incident highlights growing ransomware threats against healthcare providers worldwide, with patient portals becoming attractive targets due to the sensitive nature of medical data and potential for extortion payments. New Zealand's healthcare sector faces increasing pressure to strengthen cybersecurity protocols across both public and private systems.
