Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Manage My Health

Manage My Health Vendor Cyber Rating & Cyber Score

managemyhealth.co.nz

Manage My Health is New Zealand’s most popular patient portal. Since 2008 we have empowered nearly 2 million Kiwis to have their health in their hands and over 680 health centres trust Manage My Health to help them connect more effectively with their patients. Manage My Health is a secure website that lets you manage your personal health information on any device, any time, anywhere in the world. It’s linked up directly to your doctor’s system and can also store other information, like treatments you’ve received or medications you’re taking. We’ll help you stay on top of your health with health-related news, community forums and access to wellness initiatives. We’re on an exciting journey to continue to improve what we offer so Manage


MH A.I CyberSecurity Scoring

MH
Company Information
Website:http://www.managemyhealth.co.nz
Employees number:23
Number of followers:1,216
NAICS:71394
Industry Type:Wellness and Fitness Services
Homepage:managemyhealth.co.nz
MH Risk Score (AI oriented)
Between 0 and 549
logo
MHWellness and Fitness Services
Updated:
27/05/2026
374/1000
Critical
C
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
MH Global Score (TPRM)
xxxx
logo
MHWellness and Fitness Services
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

MH
MHCritical
Current Score
374C (CRITICAL)
01000
5 incidents
-122 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
385Before Incident
JUNE 2026
382Before Incident
MAY 2026
369Before Incident
APRIL 2026
368Before Incident
MARCH 2026
355Before Incident
FEBRUARY 2026
349Before Incident
JANUARY 2026
399Before Incident
Breach
31 Dec 2025MH
ManageMyHealth: ManageMyHealth data breach: Patients warned after unauthorised access

ManageMyHealth Cyber Security Breach

338After Incident
CRITICAL-61
MAN1767203875
ManageMyHealth Investigates Cybersecurity Breach Impacting Patient Medical Records ManageMyHealth, a New Zealand-based digital health portal that allows patients to access medical records and connect with clinicians, has confirmed a cybersecurity breach involving unauthorized system access. The incident was disclosed in a statement by CEO Vino Ramayah, who confirmed that the company is actively investigating the breach in collaboration with partners and authorities. Containment measures have been implemented, though specific details about the scope of the breach—including the number of affected users or the type of data exposed—remain unconfirmed. ManageMyHealth has pledged to provide updates as the investigation progresses. The breach raises concerns about the security of sensitive health data, particularly as digital health platforms increasingly serve as central repositories for personal medical information. No further technical details or attribution for the attack have been released at this stage.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: Medical recordsIdentity Theft Risk: High
DATA BREACH
Type Of Data Compromised: Medical records, Personal health informationSensitivity Of Data: HighPersonally Identifiable Information: Yes
DECEMBER 2025
484Before Incident
Breach
21 Dec 2025MH
ManageMyHealth: ManageMyHealth warned before massive data breach – inquiry

New Zealand’s Largest Health Data Breach Exposes 99,000 Patients Due to Preventable Security Failures

398After Incident
CRITICAL-86
MAN1779856181
New Zealand’s Largest Health Data Breach Exposes 99,000 Patients Due to Preventable Security Failures A preventable cyberattack on ManageMyHealth, a patient portal serving 1.8 million users across 680+ health centers, resulted in the theft of sensitive data belonging to 99,416 individuals one of New Zealand’s most damaging health sector breaches. The incident, which occurred on December 21, 2023, exposed clinical notes, intimate imagery, and passport scans, raising risks of blackmail and identity fraud. ### Key Findings: A Breach Foretold An independent security researcher warned the Ministry of Health in November 2023 about critical vulnerabilities in ManageMyHealth’s API security, with similar flaws flagged as early as December 2022. Despite these alerts, no evidence suggests the issues were fixed before the attack. The hacker, operating under the alias "Kazu", exploited a compromised user login and weak API controls to exfiltrate data an attack described as "neither technically sophisticated, nor particularly uncommon" by investigators. The Privacy Commissioner, Michael Webster, determined that both ManageMyHealth and Health NZ breached the Privacy Act by failing to implement reasonable safeguards. Webster announced plans to issue compliance notices, the strongest enforcement tool available, against both organizations. ### Impact and Response - 91% of affected patients were based in Northland, with a disproportionate impact on Māori communities. - Initial estimates suggested 127,000 individuals were exposed, later revised to 99,416. - The hacker demanded US$60,000 (NZ$104,000) for the data’s return, though no mass release occurred. A police investigation remains ongoing. - ManageMyHealth acknowledged the breach, apologized, and claimed the attack was limited to the "My Health Documents" section of its platform. The company has since implemented security upgrades, appointed an independent advisory board, and offered affected patients identity protection and mental health support. ### Systemic Failures and Recommendations A CyberCX report, commissioned by the Ministry of Health, found ManageMyHealth unprepared for such an incident, with significant control failings and misalignment with health information security frameworks. Patient notifications were criticized as "confused, overly optimistic, and inaccurate", with some unaffected users mistakenly alerted. The review issued 12 recommendations, including: - Mandatory penetration testing and external compliance assessments for ManageMyHealth. - Stronger third-party supplier oversight by Health NZ, moving away from self-assessment models. - Clearer protocols for patient notifications during breaches. ### Broader Cybersecurity Reforms The Ministry of Health confirmed system-wide improvements, including: - Independent security assessments for key third-party suppliers. - A desktop review of other major patient portals. - A new action plan to strengthen cybersecurity expectations for vendors handling sensitive health data. The breach underscored the need for proactive security measures and accountability in New Zealand’s health sector, with officials emphasizing that preventable incidents like this must not recur.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Extortion (Ransom demand)
IMPACT
Data Compromised: Clinical notes, intimate imagery, passport scans, personally identifiable informationSystems Affected: ManageMyHealth patient portal (My Health Documents section)Operational Impact: Patient notifications were confused and inaccurate; some unaffected users mistakenly alertedBrand Reputation Impact: Significant reputational damage to ManageMyHealth and Health NZLegal Liabilities: Breach of Privacy Act; compliance notices issuedIdentity Theft Risk: High (exposure of sensitive personal data)
DATA BREACH
Clinical notesIntimate imageryPassport scansPersonally identifiable informationNumber Of Records Exposed: 99,416Sensitivity Of Data: High (medical and personal data)Data Exfiltration: YesPersonally Identifiable Information: Yes
NOVEMBER 2025
481Before Incident
OCTOBER 2025
476Before Incident
SEPTEMBER 2025
470Before Incident
AUGUST 2025
465Before Incident
JULY 2025
676Before Incident
Breach
18 Jul 2025MH
ManageMyHealth and Canopy Health: Second NZ health provider, Canopy Health, reveals cyberattack

Canopy Health Cyberattack

457After Incident
CRITICAL-219
MANCAN1768238831
New Zealand Health Providers Hit by Cyberattacks as Legal and Notification Delays Raise Concerns Two major New Zealand healthcare providers ManageMyHealth (MMH) and Canopy Health have disclosed cybersecurity breaches in recent weeks, highlighting vulnerabilities in the sector and sparking debates over legal protections and transparency. Canopy Health, the country’s largest private medical oncology provider, revealed on 18 July 2025 that an unknown attacker had gained unauthorized access to an administrative server. The company, which operates 24 diagnostic clinics, eight oncology centers, two breast surgical facilities, and a drug compounding business, stated the incident was contained but acknowledged that some data may have been copied. A forensic review confirmed the breach, though details on the scope of exposed information remain limited. Canopy secured an urgent injunction from the New Zealand High Court to block the use or publication of any accessed data and reported the incident to NZ Police and the Office of the Privacy Commissioner. Separately, ManageMyHealth faced a breach earlier this year, with the company only beginning to notify affected patients six months after the attack. The delayed disclosure has drawn criticism, particularly as the provider handles sensitive medical records. A court injunction was also granted in this case, restricting the dissemination of compromised data. The incidents follow a broader trend of healthcare organizations becoming prime targets for cybercriminals, with ransomware groups like CrazyHunter recently compromising six healthcare providers in Taiwan. Legal actions, such as injunctions, have become a common response to prevent data leaks, though their impact on press freedom and public awareness remains contentious. As investigations continue, the breaches underscore ongoing challenges in cybersecurity preparedness, regulatory oversight, and timely breach notifications within the healthcare sector.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: YesSystems Affected: Administration server
DATA BREACH
Sensitivity Of Data: Likely high (medical/patient data)Data Exfiltration: Possible (data may have been copied)
Ransomware
18 Jul 2025MH
ManageMyHealth and Canopy Healthcare: Canopy Healthcare alerts patients to a data breach that occurred six months ago

Canopy Healthcare Data Breach

457After Incident
CRITICAL-219
MANCAN1768189120
Canopy Healthcare Reports Six-Month-Old Data Breach Affecting Patient and Staff Records Canopy Healthcare, New Zealand’s largest private medical oncology provider—encompassing facilities like Auckland Breast Centre, Canopy Cancer Care, and Canopy Imaging—has disclosed a data breach that occurred on July 18, 2025, but only notified affected individuals six months later. The unauthorized access targeted administrative systems, potentially exposing patient records, passport details, and a limited number of bank account numbers provided for payments or refunds. While the company confirmed that credit card information remained unaffected, it acknowledged uncertainty about the full scope of compromised data. Canopy has directly contacted impacted patients and staff, including those whose identity documents may have been accessed. Affected individuals with exposed passport details were advised to place an alert on their records via the Ministry of Internal Affairs. The breach follows a December 2024 ransomware attack on the ManageMyHealth portal, a separate healthcare service provider, which compromised 127,000 patient files. Health Minister Simeon Brown has since directed the Ministry of Health to review the ManageMyHealth incident, though no direct link between the two breaches has been established. Canopy reported the incident to the Privacy Commissioner and police at the time but stated it has not received contact from the unauthorized party or identified the attackers. Despite the breach, the company confirmed that operations continued normally, and no ransom demands were made. The delayed disclosure has raised questions about healthcare cybersecurity governance, with authorities yet to comment on the Canopy breach. The incident adds to growing concerns over data protection in New Zealand’s private healthcare sector.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: Patient records, passport information, bank account details, staff identity informationSystems Affected: Administration systemsOperational Impact: Operations and services continued as normalIdentity Theft Risk: High (passport and bank account details exposed)Payment Information Risk: Bank account numbers exposed (no credit cards affected)
DATA BREACH
Patient recordsPassport informationBank account detailsStaff identity informationNumber Of Records Exposed: Small amount (exact number not specified)Sensitivity Of Data: HighPersonally Identifiable Information: Yes
JANUARY 2025
764Before Incident
Breach
01 Jan 2025MH
ManageMyHealth: Digital Risk Is Now a Clinical Challenge

New Zealand’s ManageMyHealth Breach Exposes 120,000 Patients

666After Incident
CRITICAL-98
MAN1771975384
New Zealand’s ManageMyHealth Breach Exposes 120,000 Patients, Highlighting Systemic Healthcare Cyber Risks A recent breach of New Zealand’s ManageMyHealth patient portal compromised sensitive data belonging to approximately 120,000 individuals, marking one of the country’s most significant healthcare privacy incidents. Unlike financial data, medical records cannot be reset, leaving affected patients vulnerable to long-term risks. The incident underscores a broader shift in healthcare cybersecurity across the Asia-Pacific region, where breaches increasingly stem from organizational and governance failures rather than isolated technical vulnerabilities. Three critical gaps have emerged: fragmented threat intelligence, weak access controls, and unmanaged third-party risk. ### Fragmented Intelligence and Slow Response Healthcare providers often operate in silos, detecting and responding to threats independently. Attackers, however, collaborate across regions, reusing tools and tactics. The ManageMyHealth breach demonstrated how poor coordination unclear communication, inconsistent situational awareness, and delayed escalation prolonged uncertainty for patients, clinicians, and partners. Effective threat intelligence sharing requires secure, structured pattern recognition, while predefined escalation protocols and joint response playbooks can improve sector-wide resilience. ### Weak Access Governance Despite advanced security tools, compromised credentials remain a leading attack vector. Healthcare’s operational demands rotating staff, legacy systems, and urgent clinical needs often lead to unchecked access proliferation. Dormant accounts, excessive permissions, and shared logins create persistent vulnerabilities. Multifactor authentication helps but cannot compensate for poor governance. Continuous access reviews, role-based privilege management, and structured off-boarding are essential to reducing exposure. ### Third-Party Risk Expansion Patient portals, cloud services, and telehealth platforms now form the backbone of care delivery, redistributing risk across multiple vendors. Traditional third-party risk assessments annual questionnaires and compliance audits fail to address real-time operational threats. Organizations must adopt continuous governance, including real-time visibility into vendor access, contractually defined breach response protocols, and structured off-boarding to prevent lingering integrations from expanding the attack surface. The ManageMyHealth breach serves as a case study in how digital risk has become clinical risk. Healthcare cybersecurity can no longer be an afterthought; it requires enterprise-wide governance, disciplined access controls, and proactive vendor oversight to protect patient safety and trust.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: Sensitive medical recordsSystems Affected: ManageMyHealth patient portalOperational Impact: Prolonged uncertainty for patients, clinicians, and partnersBrand Reputation Impact: Erosion of patient trustIdentity Theft Risk: Long-term risks for affected patients
DATA BREACH
Type Of Data Compromised: Medical records, personally identifiable informationNumber Of Records Exposed: 120,000Sensitivity Of Data: High (medical records cannot be reset)Personally Identifiable Information: Yes

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for MH ?
?
What was MH's A.I Rankiteo Cyber Score in June 2026 ?
?
What was MH's A.I Rankiteo Cyber Score in May 2026 ?
?
What was MH's A.I Rankiteo Cyber Score in April 2026 ?
?
What was MH's A.I Rankiteo Cyber Score in March 2026 ?
?
What was MH's A.I Rankiteo Cyber Score in February 2026 ?
?
What was MH's A.I Rankiteo Cyber Score in January 2026 ?
?
What was MH's A.I Rankiteo Cyber Score in December 2025 ?
?
What was MH's A.I Rankiteo Cyber Score in November 2025 ?
?
What was MH's A.I Rankiteo Cyber Score in October 2025 ?
?
What was MH's A.I Rankiteo Cyber Score in September 2025 ?
?
What was MH's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on MH's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with MH ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view MH's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?