Manage My Health Update
Dear patients,
We are writing to acknowledge the recent cybersecurity breach at ManageMyHealth (MMH) and to recognise the distress and concern this news will be causing. We would like to stress that our current patient portal “WELL” is totally safe and is quite different to Manage My Health. You can read about it in our news article “Cyber Security Breach” published 6th January 2025.
What happened?
On 30 December 2025, MMH identified unauthorised ransomware activity within the My Health Documents module of the ManageMyHealth app. This activity was the result of a criminal cyberattack. Once detected, MMH secured its systems, isolated the affected environment, and engaged independent cybersecurity and forensic specialists. They have also notified and are cooperating with Health New Zealand, the Privacy Commissioner, New Zealand Police, and other relevant authorities.
Is ManageMyHealth still safe to use?
In short, yes. MMH has confirmed that the services connecting ManageMyHealth to general practice systems were not impacted by this incident. Clinical systems, practice management systems, and day-to-day clinical workflows remain secure and unaffected. There has been no impact on practice held patient records. MMH has also advised that there is no evidence of ongoing unauthorised access and that the incident has been contained. Additional safeguards have been put in place, and their systems are currently secure. MMH is encouraging enabling two-factor authentication and updating your password (if you haven’t already been prompted to do so).
Do we have any patients affected by the cyber incident?
Yes, we have a very small number of patients that have been affected by the hacking. These patients are being contacted in tranches by the MMH team to let them know they were affected, next steps, and to offer appropriate support.
Why have we not notified affected patients ourselves?
The Office of the Privacy Commissioner (OPC) has asked for a co-ordinated approach to notification rather than having hundreds of individual practices undertake the process; therefore, the OPC has asked MMH to manage the notification process. We have to respect the wishes of the government and follow due process.
When will the notification of patients start?
MMH has told us that the notification process to affected patients started on Thursday 8 January and is likely to take up to a week to complete given the sheer size and scale of the breach. So far around 50,000 patients have been contacted. The next tranche of notifications will begin at 8.30am Friday morning 9th January but it will take several days to complete while contact details are gathered. MMH has made updates to its website with an “account security status” notification. A green box means the account has not been accessed. If it has a “red” security status note the account has been affected and a reference number will be provided and the 0800 number to ring for further support.
MMH has published answers to common questions, including why communication timing can vary and what terms like “accessed” mean. You can find this information here: https://managemyhealth.co.nz/faqs-cyber-breach/ We understand that situations like this can be concerning and frustrating – especially as much of the process sits outside of our control. As a reminder, this incident relates to ManageMyHealth, not our practice systems, and does not affect the care we provide. If you are experiencing any distress or feel you need to speak to someone, please call our reception team to make an appointment with one of our clinicians.
Regards
Albany Family Medical Centre