The Ransom Hack on Manage My Health
The recent ransomware assault on New Zealand’s premier health platform, Manage My Health, is emerging as a significant cybersecurity episode in the nation’s history. However, how does this incident align with previous breaches?
The perpetrators have threatened to divulge over 400,000 documents acquired from around 126,000 Manage My Health patients, demanding a payment of $60,000 by 5 AM on Tuesday.
This alarming breach has incited a governmental examination into the circumstances surrounding it, particularly focusing on the adequacy of existing security measures and recommendations for fortifications.
In a bid to safeguard patient data, Manage My Health is pursuing a legal injunction against the public dissemination of the compromised information while working diligently to alert those impacted.
The company is also collaborating with Health NZ, the Ministry of Health, the Privacy Commissioner, and general practitioners to mitigate ongoing threats.
The National Cyber Security Centre (NCSC) published its latest Cyber Threat Report in December, emphasizing the burgeoning commercialization of cybercrime. Persistent vulnerabilities and known weaknesses within New Zealand seem to furnish threat actors with unimpeded access.
During the 2024/25 period, more than 40% of incidents managed by the NCSC were linked to criminal or financial motives, in contrast to approximately 25% associated with state-sponsored actors. Notably, around 34% of cases were unassociated with either category.
The onslaught of financially motivated cyber attacks more than doubled compared to the previous year, with financial losses escalating from over $26.9 million to $21.6 million.
The NCSC, entrusted with delivering cybersecurity services to all New Zealanders, counsels against succumbing to ransom demands.
“Regrettably, numerous victims who pay do not regain their data or unlock their systems, and they often face further extortion threats regarding sensitive information,” the agency reiterated.
Moreover, the report underscored the exacerbation of threats posed by artificial intelligence, which has diminished the necessity for sophisticated technical skills to execute convincing, scalable assaults.
“The scale and velocity of AI-driven attacks have the potential to overwhelm conventional security teams, particularly in the absence of fundamental cyber hygiene.
Nonetheless, automation serves both adversaries: rapid detection and response must constantly outstrip automated assaults to remain effective,” the report cautioned.
Waikato District Health Board Incident
Among the most infamous attacks in New Zealand’s recent history, the Waikato District Health Board (DHB) incident drew widespread media focus due to its tangible impact on local hospitals.
On 18 May 2021, the attack incapacitated services across five hospitals after hackers compromised the DHB’s 611 servers. Six weeks post-incident, private data belonging to over 4,000 patients and staff were leaked onto the dark web.
Utilizing ransomware to paralyze operations, the attackers disrupted all phone lines and internal systems, with only email remaining functional.
Three months later, staff were still compelled to utilize manual processes as the DHB struggled to ascertain the extent of the patient backlog.
Prior to the breach, the DHB had received warnings regarding its antiquated security measures, including clinical devices operating on Windows XP, unsupported for five years, lagging behind on essential security patches, and facing staff shortages for system upgrades.
A subsequent report disclosed that while the DHB was current in its patching, software vulnerabilities did not contribute to the breach. However, much of the detailed information regarding the DHB’s preparedness and the assault specifics was redacted.
Tonga Health System, 2025
Tonga’s health system was incapacitated for nearly a month in June 2022 after hackers demanded a ransom of $1 million.
The ransom went unpaid, and assistance from Australia was solicited to restore their system, urging patients to provide handwritten notes instead of relying on electronic records.
Case Study of Successful Recovery
A compelling illustration of effective defense against ransomware attacks surfaced in the NCSC’s report, highlighting a health sector case where swift action mitigated damages.
“Numerous servers and endpoint devices were encrypted, resulting in substantial data theft,” the report elaborated.
“The organization’s IT provider aided in implementing initial remedies, which included credential modifications, account updates, and additional security protocols.”
The report indicated a deficiency in multi-factor authentication (MFA) allowed unauthorized access. However, fortune smiled upon the organization as system backups had been completed just an hour before the attack ensued, facilitating a rapid recovery.
Through timely backups, the organization was able to restore operations swiftly; however, the absence of MFA paved the way for the intrusion.
The WannaCry Attack, 2017
The WannaCry attack in May 2017 gained notoriety for its extensive reach.
It secured more than 300,000 computers across over 150 nations, with attackers demanding $300 for each compromised machine.
The incident derived its name from the ransomware deployed to hinder users from accessing their files.
Most affected entities reportedly refrained from payment, with accounts indicating that even those who paid were not rewarded with reinstated access to their data.
Particularly hard-hit was the UK’s health service, which witnessed the cancellation of nearly 20,000 hospital appointments.
In New Zealand, one notable impact was the precautionary shutdown of Lyttelton Port.
Following the wave of attacks, Counties Manukau DHB revealed substantial challenges in managing medical device computers, a concern experts warned could be pervasive across DHBs.
The United States attributed responsibility for the attack to North Korea.
Breaches Affecting Other Sectors
Moving beyond health data, New Zealanders were also ensnared in a breach that affected 5.7 million Qantas customers in mid-2025.
This Australian airline divulged the full extent of the attack in October, revealing data theft from approximately 40 companies globally during June.
Stolen details included customer records such as names, email addresses, and frequent flyer information, without compromising credit card or personal financial data.
Nissan Cyber Attack, 2024
In March 2024, around 100,000 customers from Nissan’s Australian and New Zealand divisions fell victim to a cyber assault, which compromised documents including driver’s licenses and medicare cards.
Some of the pilfered information subsequently surfaced on the dark web.
Latitude Financial Breach, 2023
In March 2023, Australian financial services provider Latitude announced a breach that initially impacted 330,000 individuals, ultimately revealing over 14 million documents compromised in what was then deemed New Zealand’s most significant data incident.
More than a million New Zealand driver license numbers, 90,000 personal banking details, and information from 34,000 passports were reportedly among the stolen records, with a ransom being demanded but not fulfilled.
Mercury IT Incident, 2022
A 2022 attack saw Health NZ and the Ministry of Justice losing access to vital health and coronial files.
This breach involved about 14,500 coronial files, 4,000 post-mortem reports, and comprehensive bereavement care records, among other data maintained by external provider Mercury IT.
The NCSC’s annual report flagged such “supply chain attack” breaches targeting third-party suppliers as a burgeoning concern.
This tactic often succeeds due to inadequate security controls by third-party vendors or the commitment of threat actors to breach these systems to access valuable organizational data.
Upon learning of the incident on November 30, Mercury promptly notified governmental authorities.
The Ministry of Justice and Health NZ asserted there was no evidence of unauthorized access to the files, though officials noted that it could not be entirely discounted.
Squirrel Breach, 2024
In another instance of supply chain vulnerability, Squirrel, a mortgage broking and investment firm, experienced an attack exposing approximately 600 peer-to-peer investors’ identification details—including passports and driver’s licenses.
The breach emanated from a third-party registration system, with data being held for 30 days.
“The exposed data primarily included names, dates of birth, and ID numbers; no additional proprietary Squirrel information was compromised,” founder John Bolton clarified.
AA Traveller Incident
In May 2022, the AA Traveller website reported that names, addresses, contact information, and expired credit card numbers of hundreds of thousands of customers had been compromised the previous August.
This breach impacted customers interacting with the website from 2003 to 2018 and extended to approximately 30,000 individuals who completed an online survey in 2010.
China Accused of Hacking New Zealand’s Parliament
Senior Minister Judith Collins, responsible for the GCSB and SIS, revealed in March 2024 that the Parliamentary Service and Parliamentary Counsel Office had allegedly been targeted in 2021 by a group known as APT40.
“Fortunately, in this instance, the NCSC worked alongside the affected organizations to contain the breach swiftly,” she stated.
This announcement followed a prior disclosure by her predecessor, Andrew Little, who indicated connections between APT40 and the Chinese government.
He reported that Chinese state-sponsored hackers were implicated in attacks targeting Microsoft Exchange email software.
China’s embassy dismissed the allegations as “baseless and irresponsible.”
NZX Attack, 2020
In August 2020, the New Zealand stock exchange fell victim to recurring Distributed Denial of Service (DDoS) assaults, crippling trading operations.
Public-facing NZX servers were rendered inoperative for nearly a week, necessitating intermittent trading halts over four consecutive days.
This sort of attack exploits extensive volumes of internet traffic to inundate servers and networks, often leveraged for ransom demands in exchange for ceasing hostilities.
CrowdStrike Incident, 2024
Not a deliberate assault but an unintentional malfunction, the CrowdStrike incident in mid-2024 was characterized as the largest IT meltdown ever recorded.
An errant code in a security update disrupted services across diverse sectors, including transportation, healthcare, and finance globally.
Although New Zealand was affected, it largely evaded some catastrophic outcomes.
Source link: Rnz.co.nz.
