MH A.I CyberSecurity Scoring
MH
Company Information
Website:http://www.managemyhealth.co.nz
Employees number:23
Number of followers:1,216
NAICS:71394
Industry Type:Wellness and Fitness Services
Homepage:managemyhealth.co.nz
MH Risk Score (AI oriented)
Between 0 and 549
MHWellness and Fitness Services
Updated:
27/05/2026
27/05/2026
374/1000
Critical
C
MH Global Score (TPRM)
xxxx
MHWellness and Fitness Services
Score locked

MHCritical
Current Score
374C (CRITICAL)
01000
5 incidents
-122 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
385
JUNE 2026
382
MAY 2026
369
APRIL 2026
368
MARCH 2026
355
FEBRUARY 2026
349
JANUARY 2026
399
Breach
31 Dec 2025 • MH
ManageMyHealth: ManageMyHealth data breach: Patients warned after unauthorised access
ManageMyHealth Cyber Security Breach
338
CRITICAL-61
MAN1767203875
ManageMyHealth Investigates Cybersecurity Breach Impacting Patient Medical Records
ManageMyHealth, a New Zealand-based digital health portal that allows patients to access medical records and connect with clinicians, has confirmed a cybersecurity breach involving unauthorized system access. The incident was disclosed in a statement by CEO Vino Ramayah, who confirmed that the company is actively investigating the breach in collaboration with partners and authorities.
Containment measures have been implemented, though specific details about the scope of the breach—including the number of affected users or the type of data exposed—remain unconfirmed. ManageMyHealth has pledged to provide updates as the investigation progresses.
The breach raises concerns about the security of sensitive health data, particularly as digital health platforms increasingly serve as central repositories for personal medical information. No further technical details or attribution for the attack have been released at this stage.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
484
Breach
21 Dec 2025 • MH
ManageMyHealth: ManageMyHealth warned before massive data breach – inquiry
New Zealand’s Largest Health Data Breach Exposes 99,000 Patients Due to Preventable Security Failures
398
CRITICAL-86
MAN1779856181
New Zealand’s Largest Health Data Breach Exposes 99,000 Patients Due to Preventable Security Failures
A preventable cyberattack on ManageMyHealth, a patient portal serving 1.8 million users across 680+ health centers, resulted in the theft of sensitive data belonging to 99,416 individuals one of New Zealand’s most damaging health sector breaches. The incident, which occurred on December 21, 2023, exposed clinical notes, intimate imagery, and passport scans, raising risks of blackmail and identity fraud.
### Key Findings: A Breach Foretold
An independent security researcher warned the Ministry of Health in November 2023 about critical vulnerabilities in ManageMyHealth’s API security, with similar flaws flagged as early as December 2022. Despite these alerts, no evidence suggests the issues were fixed before the attack. The hacker, operating under the alias "Kazu", exploited a compromised user login and weak API controls to exfiltrate data an attack described as "neither technically sophisticated, nor particularly uncommon" by investigators.
The Privacy Commissioner, Michael Webster, determined that both ManageMyHealth and Health NZ breached the Privacy Act by failing to implement reasonable safeguards. Webster announced plans to issue compliance notices, the strongest enforcement tool available, against both organizations.
### Impact and Response
- 91% of affected patients were based in Northland, with a disproportionate impact on Māori communities.
- Initial estimates suggested 127,000 individuals were exposed, later revised to 99,416.
- The hacker demanded US$60,000 (NZ$104,000) for the data’s return, though no mass release occurred. A police investigation remains ongoing.
- ManageMyHealth acknowledged the breach, apologized, and claimed the attack was limited to the "My Health Documents" section of its platform. The company has since implemented security upgrades, appointed an independent advisory board, and offered affected patients identity protection and mental health support.
### Systemic Failures and Recommendations
A CyberCX report, commissioned by the Ministry of Health, found ManageMyHealth unprepared for such an incident, with significant control failings and misalignment with health information security frameworks. Patient notifications were criticized as "confused, overly optimistic, and inaccurate", with some unaffected users mistakenly alerted.
The review issued 12 recommendations, including:
- Mandatory penetration testing and external compliance assessments for ManageMyHealth.
- Stronger third-party supplier oversight by Health NZ, moving away from self-assessment models.
- Clearer protocols for patient notifications during breaches.
### Broader Cybersecurity Reforms
The Ministry of Health confirmed system-wide improvements, including:
- Independent security assessments for key third-party suppliers.
- A desktop review of other major patient portals.
- A new action plan to strengthen cybersecurity expectations for vendors handling sensitive health data.
The breach underscored the need for proactive security measures and accountability in New Zealand’s health sector, with officials emphasizing that preventable incidents like this must not recur.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
NOVEMBER 2025
481
OCTOBER 2025
476
SEPTEMBER 2025
470
AUGUST 2025
465
JULY 2025
676
Breach
18 Jul 2025 • MH
ManageMyHealth and Canopy Health: Second NZ health provider, Canopy Health, reveals cyberattack
Canopy Health Cyberattack
457
CRITICAL-219
MANCAN1768238831
New Zealand Health Providers Hit by Cyberattacks as Legal and Notification Delays Raise Concerns
Two major New Zealand healthcare providers ManageMyHealth (MMH) and Canopy Health have disclosed cybersecurity breaches in recent weeks, highlighting vulnerabilities in the sector and sparking debates over legal protections and transparency.
Canopy Health, the country’s largest private medical oncology provider, revealed on 18 July 2025 that an unknown attacker had gained unauthorized access to an administrative server. The company, which operates 24 diagnostic clinics, eight oncology centers, two breast surgical facilities, and a drug compounding business, stated the incident was contained but acknowledged that some data may have been copied. A forensic review confirmed the breach, though details on the scope of exposed information remain limited. Canopy secured an urgent injunction from the New Zealand High Court to block the use or publication of any accessed data and reported the incident to NZ Police and the Office of the Privacy Commissioner.
Separately, ManageMyHealth faced a breach earlier this year, with the company only beginning to notify affected patients six months after the attack. The delayed disclosure has drawn criticism, particularly as the provider handles sensitive medical records. A court injunction was also granted in this case, restricting the dissemination of compromised data.
The incidents follow a broader trend of healthcare organizations becoming prime targets for cybercriminals, with ransomware groups like CrazyHunter recently compromising six healthcare providers in Taiwan. Legal actions, such as injunctions, have become a common response to prevent data leaks, though their impact on press freedom and public awareness remains contentious.
As investigations continue, the breaches underscore ongoing challenges in cybersecurity preparedness, regulatory oversight, and timely breach notifications within the healthcare sector.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Ransomware
18 Jul 2025 • MH
ManageMyHealth and Canopy Healthcare: Canopy Healthcare alerts patients to a data breach that occurred six months ago
Canopy Healthcare Data Breach
457
CRITICAL-219
MANCAN1768189120
Canopy Healthcare Reports Six-Month-Old Data Breach Affecting Patient and Staff Records
Canopy Healthcare, New Zealand’s largest private medical oncology provider—encompassing facilities like Auckland Breast Centre, Canopy Cancer Care, and Canopy Imaging—has disclosed a data breach that occurred on July 18, 2025, but only notified affected individuals six months later. The unauthorized access targeted administrative systems, potentially exposing patient records, passport details, and a limited number of bank account numbers provided for payments or refunds.
While the company confirmed that credit card information remained unaffected, it acknowledged uncertainty about the full scope of compromised data. Canopy has directly contacted impacted patients and staff, including those whose identity documents may have been accessed. Affected individuals with exposed passport details were advised to place an alert on their records via the Ministry of Internal Affairs.
The breach follows a December 2024 ransomware attack on the ManageMyHealth portal, a separate healthcare service provider, which compromised 127,000 patient files. Health Minister Simeon Brown has since directed the Ministry of Health to review the ManageMyHealth incident, though no direct link between the two breaches has been established.
Canopy reported the incident to the Privacy Commissioner and police at the time but stated it has not received contact from the unauthorized party or identified the attackers. Despite the breach, the company confirmed that operations continued normally, and no ransom demands were made.
The delayed disclosure has raised questions about healthcare cybersecurity governance, with authorities yet to comment on the Canopy breach. The incident adds to growing concerns over data protection in New Zealand’s private healthcare sector.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JANUARY 2025
764
Breach
01 Jan 2025 • MH
ManageMyHealth: Digital Risk Is Now a Clinical Challenge
New Zealand’s ManageMyHealth Breach Exposes 120,000 Patients
666
CRITICAL-98
MAN1771975384
New Zealand’s ManageMyHealth Breach Exposes 120,000 Patients, Highlighting Systemic Healthcare Cyber Risks
A recent breach of New Zealand’s ManageMyHealth patient portal compromised sensitive data belonging to approximately 120,000 individuals, marking one of the country’s most significant healthcare privacy incidents. Unlike financial data, medical records cannot be reset, leaving affected patients vulnerable to long-term risks.
The incident underscores a broader shift in healthcare cybersecurity across the Asia-Pacific region, where breaches increasingly stem from organizational and governance failures rather than isolated technical vulnerabilities. Three critical gaps have emerged: fragmented threat intelligence, weak access controls, and unmanaged third-party risk.
### Fragmented Intelligence and Slow Response
Healthcare providers often operate in silos, detecting and responding to threats independently. Attackers, however, collaborate across regions, reusing tools and tactics. The ManageMyHealth breach demonstrated how poor coordination unclear communication, inconsistent situational awareness, and delayed escalation prolonged uncertainty for patients, clinicians, and partners. Effective threat intelligence sharing requires secure, structured pattern recognition, while predefined escalation protocols and joint response playbooks can improve sector-wide resilience.
### Weak Access Governance
Despite advanced security tools, compromised credentials remain a leading attack vector. Healthcare’s operational demands rotating staff, legacy systems, and urgent clinical needs often lead to unchecked access proliferation. Dormant accounts, excessive permissions, and shared logins create persistent vulnerabilities. Multifactor authentication helps but cannot compensate for poor governance. Continuous access reviews, role-based privilege management, and structured off-boarding are essential to reducing exposure.
### Third-Party Risk Expansion
Patient portals, cloud services, and telehealth platforms now form the backbone of care delivery, redistributing risk across multiple vendors. Traditional third-party risk assessments annual questionnaires and compliance audits fail to address real-time operational threats. Organizations must adopt continuous governance, including real-time visibility into vendor access, contractually defined breach response protocols, and structured off-boarding to prevent lingering integrations from expanding the attack surface.
The ManageMyHealth breach serves as a case study in how digital risk has become clinical risk. Healthcare cybersecurity can no longer be an afterthought; it requires enterprise-wide governance, disciplined access controls, and proactive vendor oversight to protect patient safety and trust.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for MH ??
What was MH's A.I Rankiteo Cyber Score in June 2026 ??
What was MH's A.I Rankiteo Cyber Score in May 2026 ??
What was MH's A.I Rankiteo Cyber Score in April 2026 ??
What was MH's A.I Rankiteo Cyber Score in March 2026 ??
What was MH's A.I Rankiteo Cyber Score in February 2026 ??
What was MH's A.I Rankiteo Cyber Score in January 2026 ??
What was MH's A.I Rankiteo Cyber Score in December 2025 ??
What was MH's A.I Rankiteo Cyber Score in November 2025 ??
What was MH's A.I Rankiteo Cyber Score in October 2025 ??
What was MH's A.I Rankiteo Cyber Score in September 2025 ??
What was MH's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on MH's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with MH ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view MH's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?