ManageMyHealth hack: New Zealand’s worst cybersecurity incidents

Source: Radio New Zealand

A ransom hack on New Zealand’s largest health portal is being billed as one of the country’s biggest cybersecurity incidents, but how does it compare?

The hackers have threatened to release more than 400,000 documents stolen from about 126,000 ManageMyHealth patients if the private company failed to pay $60,000 by 5am Tuesday.

The breach has prompted a government review of what happened, looking into whether security protections were sufficient, and any improvements that should be made.

ManageMyHealth is seeking an injunction on the patient information being used publicly, and working to notify those affected.

The company is also working with Health NZ, the Ministry, the Privacy Commissioner and General Practice to minimise ongoing risk.

The National Cyber Security Centre (NCSC)’s latest Cyber Threat Report in December identified increasing commercialisation of cybercrime, with known weaknesses and unpatched vulnerabilities in New Zealand “providing threat actors with easy access”.

More than 40 percent of incidents NCSC dealt with in the 2024/25 year had links criminal or financially motivations, compared to about 25 percent with suspected links to state-sponsored actors. About 34 percent could not be linked to either.

The number of criminal or financially motivated attacks more than doubled compared to the previous year, and financial losses rose from more than $26.9m to $21.6m.

The agency, which provides cybersecurity services to all New Zealanders, advises not paying ransoms to hackers.

“Unfortunately, many of those who pay do not get their data back or their systems unlocked, and sometimes they are extorted further with the threat of releasing sensitive data.”

The report said AI had only added to the threat – with attackers no longer needing advanced technical skills to launch convincing and scalable attacks.

“The scale and speed of AI-driven attacks could overwhelm traditional security teams, especially if basic cyber hygiene is lacking. Still, automation benefits both sides: rapid detection and response must outpace automated attacks to remain effective,” the report said.

Waikato DHB

One of the most notorious attacks affecting New Zealand specifically, the Waikato District Health Board (DHB) incident received significant media attention due to its clear effect on local hospitals.

The attack paralysed services at five hospitals on 18 May 2021, after hackers brought down the District Health Board (DHB)’s 611 servers and – six weeks later – leaked private data from more than 4000 patients and employees on the dark web.

As with the ManageMyHealth attack, the hackers used ransomware – software which threatens to shut down access and/or steal data unless a ransom is paid – to shut down all phones and internal systems other than email.

Staff were still having to use manual workarounds in some areas three months later, when the DHB was still trying to figure out how big the patient backlog would be.

The DHB had been warned just months earlier about its outdated security provisions, including clinical devices still running Windows XP – which had not been supported for five years – behind on security patches, and too few staff to manage upgrades.

A report later found the DHB was up to date with patching, and that software vulnerabilities did not play a role in the incident. However, much of that report’s insights into how well set up the DHB was prior to the incident, and details of the attack, were redacted.

Tonga Health System, 2025

Tonga’s health system was taken down for nearly a month in June last year by hackers demanding $1 million.

The ransom was not paid and Tonga got help from Australia to restore their system, asking patients for weeks to bring in handwritten notes instead of relying on their own records.

Case study

In an example that never hit the headlines, the NCSC’s report illustrated how strong security and quick responses could be effective in combating ransomware attacks by highlighting another case in the health sector.

“Many of the organisation’s servers and endpoint devices had been encrypted, and a large amount of data was stolen,” the report said.

“The organisation’s IT provider helped it to take initial remediation steps, which included changing credentials, updating accounts, and deploying extra security measures.”

The report said the NCSC had found a lack of multi-factor authentication (MFA) – where a user provides two or more verifications, like a password as well as a phone access code – had allowed a hacker to gain access.

“Fortunately, the organisation had completed system backups just one hour before the ransomware activity occurred. By restoring from these recent backups, it was able to successfully recover its systems and quickly return to normal operations.”

The report said such frequent backups were what allowed the organisation to recover so fast, but having MFA would have prevented the attack.

WannaCry attack 2017

The WannaCry attack in May 2017 was notable for its breadth.

Locking down more than 300,000 computers in more than 150 countries, the attackers demanded US$300 for each machine affected.

WannaCry was named after the ransomware used to prevent people from accessing their files.

Most of those affected were thought to have not paid the hackers, and reports suggested those who paid were not rewarded with access to their documents.

The UK’s health service was particularly affected, with nearly 20,000 hospital appointments cancelled.

In New Zealand, perhaps one of the biggest effects was the shutdown of Lyttelton Port as a precaution.

Afterward, Counties Manukau DHB reported significant challenges and gaps in how medical device computers were managed, which experts warned would be widespread and it would be a challenge for DHBs.

The United States pinned the blame on North Korea.

Qantas

Moving away from health data, New Zealanders were also caught up in the breach that affected 5.7 million Qantas customers in mid-2025.

The Australian airline in October revealed the extent of the attack, which stole data from about 40 companies worldwide in June.

Details taken included customer records including name, email address and frequent flyer details.

Thankfully, no credit card, personal financial information, passport details or Qantas frequent flyer account passwords and logins were thought to have been taken.

Nissan cyber attack 2024

About 100,000 customers from carmaker Nissan’s Australian and New Zealand arms were affected by a hack in March 2024, with copies of documents including driver licences, passports, tax files and medicare cards.

At least some of the stolen data was published on the dark web.

Latitude Financial, 2023

In March 2023, Australian financial services firm Latitude announced on the Australian stock exchange that it had been hit by an attack.

Initially believed to affect just 330,000 people, Latitude eventually confirmed the attack affected more than 14 million documents in what was believed to have been the biggest data breach in New Zealand at the time.

More than a million New Zealand driver licence numbers, 90,000 personal bank account numbers, details from 34,000 passports, and details relating to the company’s Gem Visa credit cards were thought to have been taken.

A ransom was demanded, but was not paid.

Mercury IT, 2022

An attack in 2022 saw Health NZ and the Ministry of Justice lose access to health and coronial files.

The data – about 14,500 coronial files, 4000 post mortem reports, about 8500 bereavement care records, and about 5500 Cardiac and Inherited Disease Registry records dating back as far as 2018 – was held by external provider Mercury IT.

The NCSC’s latest annual report identifies such “supply chain hack” attacks targeting third-party suppliers and services as an increasing trend.

“This approach works where the third party may not adhere to the same security standards as the target organisation, or where actors are prepared to put in the effort to compromise the third party because it is key to unlocking access to one or more valuable targets,” the report said.

At the time, Mercury said it immediately reported the attack to government authorities after learning about it on 30 November.

The Ministry of Justice and Health NZ said there was no evidence of any unauthorised access or downloading of the files, but an official said it could not be ruled out.

Squirrel, 2024

Another example of a supply chain hack, mortgage broking and investment firm Squirrel was targeted in an attack exposing about 600 peer-to-peer investors’ passport or drivers’ licence details.

The company said the attack had hit a third-party system used for registering investors, which was held for 30 days.

“The data that was exposed was people’s name, date of birth and ID number… there was no Squirrel info or any more personal info exposed,” founder John Bolton said.

AA Traveller

The AA Traveller website in May 2022 reported names, addresses, contact details and expired credit card numbers from hundreds of thousands of customers had been stolen the previous August.

The breach affected customers who had used the website between 2003 and 2018.

A further 30,000 people who took an online AA Travel New Zealand survey in 2010 had also been exposed to risk of being hacked by an overseas account.

China accused of hacking NZ Parliament

Senior Minister Judith Collins – who has responsibility for the GCSB and SIS spy agencies – revealed in March 2024 the Parliamentary Service and Parliamentary Counsel Office had been allegedly targeted in 2021 by a group called APT40.

“Fortunately, in this instance, the NCSC worked with the impacted organisations to contain the activity and remove the actor shortly after they were able to access the network,” she told reporters.

Collins’ announcement followed one in 2021 by her predecessor Andrew Little, who said the GCSB had uncovered links between APT40 and the Chinese government.

He said at the time Chinese state-sponsored hackers had been identified as being responsible for an attack targeting Microsoft Exchange email software.

China’s embassy has maintained the accusations linking it to hacking in New Zealand are “groundless and irresponsible”.

NZX attack in 2020

The New Zealand stock exchange came under repeated Distributed Denial of Service (DDoS) attacks in August 2020, bringing trading to a halt.

Public-facing NZX servers were taken down for nearly a week, and trading had to be intermittently halted for four days in a row.

Such attacks coordinate large volumes of internet traffic to a target to overwhelm servers and networks.

They have also been used as leverage to try to get a ransom in return for the hackers halting their attacks.

Crowdstrike

An event described as the biggest IT meltdown the world had ever seen was less deliberate attack, more unintentional glitch.

The Crowdstrike incident in mid-2024 saw errant code in a security update bring down services including airlines, healthcare, shipping, finance, TV and transport networks around the world.

New Zealand was affected, including with internet services going down, but largely escaped some of the worst impacts.

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.

– Published by EveningReport.nz and AsiaPacificReport.nz, see: MIL OSI in partnership with Radio New Zealand