The MMH Data Breach

On 30 December 2025, Manage My Health, a widely used platform for storing and accessing GP health records across NZ, experienced a data breach affecting around 126,000 people. MMH integrates with multiple medical services and allows patients to view information such as test results, scans, and clinical records online.

The breach is believed to have resulted from a phishing attack, where an employee clicked on a malicious email link, allowing unauthorised access to parts of the system. The compromised data appears to be largely limited to North Island patients and older records, approximately eight years old, with around 100,000 records involved. An independent investigator has since been engaged.

MMH publicly disclosed the breach on 1 January 2026. Since then, there has been speculation online, including claims of data appearing publicly. The individual responsible has reportedly come forward seeking a ransom, and there are indications that email addresses and passwords may have been shared elsewhere. As is common with high-profile incidents, misinformation has circulated alongside confirmed details.

We regularly work with medical and health-sector organisations and have supported clients through similar, smaller incidents. If your organisation would like reassurance, we can carry out cybersecurity health checks, phishing resilience reviews, and practical security assessments to help reduce risk before an incident occurs.