“Shambolic and Slow”: New Ransom Deadline Looms as Manage My Health Cyber Attack Crisis Deepens

By Lions Roar News Political & Tech Desk

AUCKLAND, NEW ZEALAND (January 9, 2026) — New Zealand’s largest patient portal, Manage My Health, is under fire as a fresh ransom deadline—believed to have passed at 5:00 AM this morning—leaves millions of Kiwis in a state of high anxiety. Criticism is mounting over the company’s “shambolic” response to a massive data breach that has exposed the private medical records of thousands, including deceased patients.

🚨 The Ransom Clock: 5:00 AM Deadline Passes

Following an interview with RNZ earlier this week, it was revealed that the hacking group responsible set a new ransom deadline for early Friday morning.

The Stance: Manage My Health has refused to confirm whether they have engaged in negotiations or if they are prepared to pay the ransom to prevent the leaked data from being sold on the dark web.
The Scale: The breach is currently estimated to affect 6-7% of the 1.8 million registered users, specifically within the “My Health Documents” module.

🗣️ “Shambolic and Frustrating” – Medical Leaders Lash Out

The College of GPs has led the charge in criticizing the portal’s handling of the crisis. President Luke Bradford described the response as “shambolic, frustrating, and slow.”

Communication Gaps: Many GP practices report being told how many patients are affected but not who they are, leaving doctors unable to advise their patients.
Storing Ghost Records: In a startling revelation, Bradford noted that his own practice stopped using Manage My Health years ago, yet patient records from that period were still being stored by the company without their knowledge.
Website Crashes: As patients rush to change passwords or verify their status, the Manage My Health website has repeatedly crashed, leading to further panic.

📁 What Data Was Taken?

Emeritus Professor Murray Tilyard, recently appointed as an honorary clinical advisor to the company, outlined three primary categories of breached data from the years 2017 to 2019:

Northland Hospital Summaries: Clinical discharge documents for patients in the Northland region.
Patient-Uploaded Docs: Personal blood pressure logs, weight recordings, and address changes.
Referral Documents: Historic clinical referral records from approximately 355 GP practices nationwide.

“I’m aware that some of the patients whose data has been breached are deceased,” Tilyard added. “Next of kin must be identified and contacted because they themselves may be vulnerable.”

💻 Cybersecurity “Posturing” Questioned

Experts are now questioning the company’s basic security hygiene. Vimal Kumar, a senior lecturer at Waikato University’s Cyber Security Lab, pointed out that Manage My Health had not properly configured DMARC (an email authentication protocol).

“It’s shocking. If DMARC, which is fairly easy to set up, has not been done, then what other things were not being done properly?” Kumar asked. He also criticized the nine-day delay between the hack (Dec 30) and the company’s first real attempts to contact users.