Source: Radio New Zealand
Manage My Health said it would begin notifying affected patients within the next 24 hours. RNZ / Finn Blackwell
- Manage My Health will begin notifying patients affected by ransomware attack by 5pm Thursday – but some providers have already told their patients
- Patients asking whether GPs failed in their own “due diligence”
- Some GP clinics advising patients to cancel Manage My Health registrations
GP clinics are scrambling to advise their worried patients in the ongoing fallout from the Manage My Health ransomware attack, with hundreds of thousands of highly sensitive records at risk.
In its latest update at 5pm on Wednesday, the company said it would begin notifying affected patients within the next 24 hours and hoped to complete this process by early next week.
Notifications would be sent initially through email to the address that was used to register the account, and would include an 0800 number to call “for support and assistance”.
MMH had been liaising with Health New Zealand, the Office of the Privacy Commissioner, General Practice NZ, and GP practices “to ensure patients receive clear, consistent information and do not receive multiple or confusing notifications from different organisations about the same incident”.
However, some patients told RNZ they had already been directly contacted by their healthcare provider to confirm their documents were stolen.
Some are questioning why practices did not do more due diligence themselves, after it was revealed the portal retained patient records even after they switched providers.
A Wairarapa woman told RNZ she was assured by her practice that her records could not be at risk as they would have been “archived and deleted” when it changed providers a year ago.
“While I was there at reception, I just opened the Manage My Health app and all of my information was still there.
“I showed them the phone and there were a lot of surprised faces.”
She was told to contact Manage My Health herself – but she contacted the practice manager pointing out the clinic also had a responsibility to inform patients.
“They’ve since emailed all patients with instructions on how to close their accounts with Manage My Health and also posted that information online.
“But none of us were told at the time we changed over that we should have individually closed our accounts, and it’s a little bit late to be doing that now.”
The woman said the kind of information that has been taken could be be misused for financial scams and identity fraud.
“In South Wairarapa we’ve got a lot of vulnerable communities, there’s a lot of elderly people in the community and I’m really concerned for my community and for my neighbours who could be affected by this.
“People may not even notice there’s a problem until it’s too late.”
Manage My Health CEO Vino Ramayah. SCREENSHOT / RNZ
Mixed comms from clinics
Manage My Health’s owner and chief executive Vino Ramayah told RNZ the company needed each patients’ consent before deleting their historical data, even if they changed doctors, or their GP terminated the contract.
“Quite a lot of our patients don’t belong to a doctor… So when a patient leaves a doctor’s practice, the patients have a choice to continue to use Manage My Health or they can close the application, in which case we will delete the data. “
Under its terms of service, the company was obliged to store patient data until given explicit direction by patients “because we’d be wiping out a lot of their historical data”.
Since news of the cybersecurity breach broke, some clinics have been posting different online messages.
One Auckland GP practice network – which transitioned to another provider in November 2025 – texted patients to say MMH would “take responsibility for contacting any impacted individuals”.
However, one of their patients said a staff member subsequently assured her “there’s nothing to worry about, as they’ve removed all of their patient’s records from MMH”.
Other clinics have correctly advised patients that some of the documents accessed were historical and may impact patients and providers who no longer used the MMH portal. They have directed people to MMH for latest updates.
Te Kauwhata Health Centre in Waikato told patients it was taking advice from its own IT security provider to ensure systems were “safe and secure” and waiting for MMH to determine whether any of its own patients’ data was involved.
“Manage My Health is managing the notification process and will contact affected people directly. Our practice can’t confirm whether an individual patient was affected.”
While MMH was confident the breach had been contained, the clinic urged patients to change their passwords and enable two-factor authentication for their own “peace of mind”.
Meanwhile, patients were warned to be cautious of scams and not share passwords or verification codes.
Tuki Tuki Medical in Waipukurau told patients confidentially that it had received “welcome confirmation” that none of its files had been impacted.
“Tuki Tuki Medical does not use all the modules available through the MMH Portal which has kept your information safer.”
Masterton Medical told patients it ended its MMH contract on 4 September 2025, “so no recent patient info was uploaded after that date. MMH is still investigating and will notify anyone affected”.
However, another patient said her practice had not given any advice about the possibility of MMH retaining their information.
She said when she contacted the practice manager, she was told the primary health organisation – which covers dozens of practices – had directed them “not to do anything”.
“So she is… ‘just waiting’. I asked whether allegiance was to her clinic’s 18,000+ patients – or to the PHO and MMH.”
Patients worried
A Wellington patient, whom RNZ had agreed not to name, said a healthcare provider had confirmed to him that at least one document of his was among those stolen by hackers.
“The practice manager confirmed to me it had instructed Manage My Health to delete their client records once migration [to another provider] was completed, but that didn’t happen.”
He logged into Manage My Health and found more than 200 documents of his were still available.
“I’ve got a sensitive claim and if the wrong people got hold of the details, my life would be at risk, and that’s why I’m spewing.
“I know of others like me who are also terrified.”
Having previously been the victim of other privacy breaches by healthcare providers, the man said he had no trust in their ability to keep online data safe.
“We’ve got the government trying to push for centralised medical storage that anyone anywhere in the country can access and I’m like ‘Hell no, over my dead body’.”
Another patient said there had been “zero communication” with patients from her practice.
“I’m highly disappointed in not only the hacking, but the deafening silence from my doctors and from Manage My Health.
“I found out this had happened via a Facebook group where someone had shared a news article about it.”
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand
