Bethany Alvaro and Daniel Croft 
In a statement released on 6 January, the website confirmed that all patients who have had their information compromised in the breach (approximately 120,000) have been identified.
“As communicated in our last update, we have identified all patients whose documents may have been accessed in this incident,” the company said.
“We are currently working through the Privacy Act notification process for each affected individual, in conjunction with Health NZ and the Office of the Privacy Commissioner.
“We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.”
Manage My Health has obtained interim injunction orders from the High Court, meaning no third party can access or share the stolen data.
They say the incident has been “contained”.
The New Zealand Department of the Prime Minister and Cabinet discouraged Manage My Health or any company from paying a ransom payment to a cyber criminal, adding that government agencies would not pay ransoms.
“Paying a ransom does not guarantee the end of an incident, or the removal of malicious software. It does not guarantee that you will get your data back,” it said.
“Paying a ransom does create a financial incentive for criminals to continue or expand their activities, including potentially targeting you again.”
It also said that any payments paid to a group from a sanctioned state could violate legislation like the United Nations Act 1946 or the Russia Sanctions Act 2022, with penalties up to seven years in prison and/or a fine of $100,000 for individuals, and $1,000,000 for organisations.
Who is responsible?
The threat actor claiming to be behind the incident is a user going by “Kazu”, who posted about Manage My Health on a popular hacking forum.
According to the alleged threat actor, they stole roughly 108 gigabytes of data, equating to 428,337 files, and set a ransom of US$60,000 to be paid on 15 January 2026.
It is unclear whether or not Kazu is an individual or a wider ransomware organisation.
While Kazu’s motivation is unclear beyond financial, a messaging channel linked to Kazu has listed several alleged targets from 2025, including the Nepali Ministry of Education, Science and Technology, the Doctor Alliance in Dallas, Texas, and victims in Argentina, Bolivia, Costa Rica, Iran, Mauritania, Mexico, Sri Lanka, Thailand, and Venezuela.
Most notably in a post dated 6 January, the channel wrote “Free Nicolás Maduro!!!!!”, following the capture of the Venezuelan president by the United States last week.
The account’s author previously claimed to be based in Cuba.