NZ Patient Portal Breach Exposes Health Records of 126,000

Executive Summary

On January 1, 2026, ManageMyHealth, New Zealand's predominant patient portal service, disclosed a major data breach affecting up to 126,000 of its 1.8 million users. The incident, detected on December 30, 2025, involved unauthorized access to a specific document storage module containing highly sensitive patient health information. A threat actor, 'Kazu', has claimed responsibility and issued a ransom demand, stating they exfiltrated 428,337 files. This breach poses a severe privacy risk to affected individuals and highlights the critical need for robust security controls around sensitive healthcare data repositories.

Threat Overview

The attack specifically targeted the "My Health Documents" module of the ManageMyHealth platform. This module is a repository for documents uploaded by both patients and clinicians. The company has stated that its core patient database, user credentials, and other portal functions were not compromised. However, the data stolen from the document module is extensive and includes:

• Clinical notes and specialist referrals
• Hospital discharge summaries
• Laboratory and test results
• Vaccination records
• Medical photographs

The threat actor 'Kazu' claimed responsibility on a cybercrime forum, asserting the theft of 108 GB of data. This action follows a double-extortion model, where data is not only encrypted or stolen but also threatened to be publicly released if the ransom is not paid. The New Zealand government has commissioned a review, and relevant authorities like the New Zealand Police and the Office of the Privacy Commissioner are involved.

Technical Analysis

While the exact initial access vector has not been disclosed, the compromise of a specific document storage module points towards several potential TTPs. The attack likely involved exploiting a vulnerability in the web application or its underlying cloud infrastructure.

Attack Chain & MITRE ATT&CK Mapping

1. Initial Access: The attacker likely gained initial access by exploiting a vulnerability in the public-facing web application. This could be a flaw like SQL injection, insecure direct object reference (IDOR), or a zero-day. (T1190 - Exploit Public-Facing Application)
2. Discovery & Collection: Once inside, the attacker would have identified the high-value data stored in the document module. They then proceeded to access and aggregate this data. (T1530 - Data from Cloud Storage Object)
3. Exfiltration: The attacker exfiltrated the aggregated 108 GB of data to an external, actor-controlled server. (T1567 - Exfiltration Over Web Service)
4. Impact: The threat actor issued a ransom demand, threatening to leak the data, a hallmark of modern ransomware and data extortion campaigns. (T1486 - Data Encrypted for Impact is often paired with extortion, even if encryption wasn't the primary goal).

Impact Assessment

The business and societal impact of this breach is severe. For the affected 126,000 individuals, the exposure of their most private health information can lead to emotional distress, blackmail, and identity theft. For ManageMyHealth, the incident results in significant reputational damage, loss of trust from patients and clinicians, and substantial costs related to incident response, legal fees, regulatory fines, and patient notifications. The operational impact on Health New Zealand (Te Whatu Ora) and associated general practices includes managing patient concerns and potential disruptions to digital workflows.

Cyber Observables for Detection

Security teams should hunt for the following patterns to detect similar attacks:

Detection & Response

• D3FEND: D3-NTA: Network Traffic Analysis: Implement network monitoring to baseline normal traffic patterns from the application's storage modules. Alert on significant deviations in data volume, destination, or frequency, especially traffic directed to non-standard external IP addresses.
• D3FEND: D3-FA: File Analysis: While the data was legitimate, file access logging is crucial. Implement detailed logging for all access to the 'My Health Documents' module. Correlate access logs with user sessions to detect anomalous patterns, such as a single session accessing thousands of documents.
• Incident Response: Upon detecting anomalous activity, immediately move to isolate the affected component. Revoke any potentially compromised credentials or API keys. Preserve logs from the web server, application, and cloud storage for forensic analysis. Activate the data breach notification plan.

Mitigation

• D3FEND: D3-ACH: Application Configuration Hardening: Conduct a thorough security review of the patient portal application, focusing on access control mechanisms (especially for the document module). Implement strong authorization checks to ensure users can only access their own documents (preventing IDOR).
• Network Segmentation: Isolate the document storage infrastructure from other parts of the application environment. Apply strict firewall rules that only permit necessary communication and restrict outbound traffic to known, legitimate destinations.
• Data Loss Prevention (DLP): Deploy DLP solutions at the network egress point and on the cloud storage service to detect and block the exfiltration of large volumes of data matching sensitive PHI patterns.
• Regular Penetration Testing: Engage independent security firms to conduct regular, in-depth penetration tests of the patient portal, with a specific focus on business logic flaws and access control vulnerabilities.