Marcus
@utf9k.net
www.rnz.co.nz/news/nationa...
> More than 70 percent of those impacted by the Manage My Health breach are based in Northland, according to Health NZ.
> Northland is the only area of the country where Health NZ uses Manage My Health to share information with patients.
> More than 70 percent of those impacted by the Manage My Health breach are based in Northland, according to Health NZ.
> Northland is the only area of the country where Health NZ uses Manage My Health to share information with patients.
More than 80,000 impacted by Manage My Health breach in Northland
More than 70 percent of those impacted are based in Northland, according to Health NZ.
www.rnz.co.nz
January 11, 2026 at 1:53 AM
www.rnz.co.nz/news/nationa...
> More than 70 percent of those impacted by the Manage My Health breach are based in Northland, according to Health NZ.
> Northland is the only area of the country where Health NZ uses Manage My Health to share information with patients.
> More than 70 percent of those impacted by the Manage My Health breach are based in Northland, according to Health NZ.
> Northland is the only area of the country where Health NZ uses Manage My Health to share information with patients.
Oi, you're blocking the view!
January 10, 2026 at 11:53 PM
Oi, you're blocking the view!
www.mbie.govt.nz/business-and...
> This would allow New Zealanders to share information about their electricity consumption with trusted third parties, such as comparison websites. It could also require electricity companies to share information [pricing] about the goods and services that they sell
> This would allow New Zealanders to share information about their electricity consumption with trusted third parties, such as comparison websites. It could also require electricity companies to share information [pricing] about the goods and services that they sell
January 10, 2026 at 9:20 PM
www.mbie.govt.nz/business-and...
> This would allow New Zealanders to share information about their electricity consumption with trusted third parties, such as comparison websites. It could also require electricity companies to share information [pricing] about the goods and services that they sell
> This would allow New Zealanders to share information about their electricity consumption with trusted third parties, such as comparison websites. It could also require electricity companies to share information [pricing] about the goods and services that they sell
For some reason, I found myself going down a Christopher Lee rabbit hole over the past couple of weeks
Did you know that he made multiple metal albums/EPs including "A Heavy Metal Christmas" and "A Heavy Metal Christmas Too"?
youtu.be/hiRjmD9h-YY?...
Did you know that he made multiple metal albums/EPs including "A Heavy Metal Christmas" and "A Heavy Metal Christmas Too"?
youtu.be/hiRjmD9h-YY?...
The Little Drummer Boy
YouTube video by Christopher Lee - Topic
youtu.be
January 10, 2026 at 8:39 PM
For some reason, I found myself going down a Christopher Lee rabbit hole over the past couple of weeks
Did you know that he made multiple metal albums/EPs including "A Heavy Metal Christmas" and "A Heavy Metal Christmas Too"?
youtu.be/hiRjmD9h-YY?...
Did you know that he made multiple metal albums/EPs including "A Heavy Metal Christmas" and "A Heavy Metal Christmas Too"?
youtu.be/hiRjmD9h-YY?...
A bit of a follow-up on the claim that an anonymous tip was received by the Office of the Privacy Commissioner regarding PII leakage 6 months ago.
While I don't have access to either the email or the anonymous report, I think I have a general understanding of where this has all come from.
While I don't have access to either the email or the anonymous report, I think I have a general understanding of where this has all come from.
January 10, 2026 at 2:20 AM
A bit of a follow-up on the claim that an anonymous tip was received by the Office of the Privacy Commissioner regarding PII leakage 6 months ago.
While I don't have access to either the email or the anonymous report, I think I have a general understanding of where this has all come from.
While I don't have access to either the email or the anonymous report, I think I have a general understanding of where this has all come from.
Just a friendly reminder that if you find yourself building website functionality that allows users to upload files (such as say; health documents), please don't blindly trust the file extension provided by the user 🙃
January 10, 2026 at 1:05 AM
Just a friendly reminder that if you find yourself building website functionality that allows users to upload files (such as say; health documents), please don't blindly trust the file extension provided by the user 🙃
I'd be curious to hear from anyone who does use Proton Mail on how the experience is?
If it's E2EE, I take it that just the message body is encrypted and not the headers to allow for evaluating message rule filters etc?
How does spam/phishing detection work if the message body is encrypted? 🤔
If it's E2EE, I take it that just the message body is encrypted and not the headers to allow for evaluating message rule filters etc?
How does spam/phishing detection work if the message body is encrypted? 🤔
January 9, 2026 at 11:41 PM
I'd be curious to hear from anyone who does use Proton Mail on how the experience is?
If it's E2EE, I take it that just the message body is encrypted and not the headers to allow for evaluating message rule filters etc?
How does spam/phishing detection work if the message body is encrypted? 🤔
If it's E2EE, I take it that just the message body is encrypted and not the headers to allow for evaluating message rule filters etc?
How does spam/phishing detection work if the message body is encrypted? 🤔
Reposted by Marcus
A useful article on how ManageMyHealth and other patient portals came to exist (just ignore the error of the first 8 words).
archive.ph/YZGpz
archive.ph/YZGpz
Inside the rise of Manage My Health
How did a small NZ company become the country's biggest patient portal provider? And whose job is it to make sure private companies keep your health data safe?
www.thepost.co.nz
January 9, 2026 at 8:56 PM
A useful article on how ManageMyHealth and other patient portals came to exist (just ignore the error of the first 8 words).
archive.ph/YZGpz
archive.ph/YZGpz
@kiwisnowingfan.bsky.social Shout outs for the Kero avatar
January 9, 2026 at 9:47 AM
@kiwisnowingfan.bsky.social Shout outs for the Kero avatar
Heather also wrote a book that may cover a lot of the same ground, if not new ground! I dunno but I'm gonna have a read of this too.
Thanks, I only wrote an entire book on that. www.smashingmagazine.com/printed-book...
Quality Printed Books on Front-End, Design, UX, Accessibility — Smashing Magazine
Privacy is a scary topic? It doesn’t have to be. Our new book Understanding Privacy helps you understand what data privacy is really about beyond scary headlines. It is an introduction to the beliefs,...
www.smashingmagazine.com
January 9, 2026 at 8:10 AM
Heather also wrote a book that may cover a lot of the same ground, if not new ground! I dunno but I'm gonna have a read of this too.
Means of Control by Byron Tau is a really good book if you want to learn more about the ads-to-government pipeline, especially when it was operating at its peak back in the early to mid 2010s
en.wikipedia.org/wiki/Third-p...
en.wikipedia.org/wiki/Third-p...
This cannot be stressed enough, from the 404 piece yesterday: ICE is working from a legal rationale which states that if a device is collecting adtech or location data, which is then sold to ICE, b/c the owner didn't change the privacy settings, the owner relinquished their Fourth Amendment rights.
January 9, 2026 at 8:04 AM
Means of Control by Byron Tau is a really good book if you want to learn more about the ads-to-government pipeline, especially when it was operating at its peak back in the early to mid 2010s
en.wikipedia.org/wiki/Third-p...
en.wikipedia.org/wiki/Third-p...
www.thepost.co.nz/politics/360...
From above the paywall:
> Northland Hospital patients have had their health information compromised after the Manage My Health hack, despite many never being registered with the service.
From above the paywall:
> Northland Hospital patients have had their health information compromised after the Manage My Health hack, despite many never being registered with the service.
Northland Hospital patients hit by Manage My Health cyberattack
The hospital’s use of the portal to send discharge summaries, referrals and clinical correspondence left sensitive data vulnerable.
www.thepost.co.nz
January 9, 2026 at 7:07 AM
www.thepost.co.nz/politics/360...
From above the paywall:
> Northland Hospital patients have had their health information compromised after the Manage My Health hack, despite many never being registered with the service.
From above the paywall:
> Northland Hospital patients have had their health information compromised after the Manage My Health hack, despite many never being registered with the service.
A new press release has been issued by ManageMyHealth for January 9th.
managemyhealth.co.nz/mmh-cyber-br...
managemyhealth.co.nz/mmh-cyber-br...
MMH Cyber Breach Update 9 January 2026 | Manage My Health
MMH cyber breach update 9 January 2026
managemyhealth.co.nz
January 9, 2026 at 4:34 AM
A new press release has been issued by ManageMyHealth for January 9th.
managemyhealth.co.nz/mmh-cyber-br...
managemyhealth.co.nz/mmh-cyber-br...
www.nzherald.co.nz/nz/fresh-pro...
Since a breaking news banner has been put up, I'll point out that this appears to be a recap of the original Blackveil article from January 1st. While they are valid issues, I'm not sure that they rise to the level of a banner.
blackveil.co.nz/blog/managem...
Since a breaking news banner has been put up, I'll point out that this appears to be a recap of the original Blackveil article from January 1st. While they are valid issues, I'm not sure that they rise to the level of a banner.
blackveil.co.nz/blog/managem...
Security expert finds fresh ManageMyHealth issues
'Reconnaissance' of ManageMyHealth's website and app has found new concerns, he says.
www.nzherald.co.nz
January 9, 2026 at 3:01 AM
www.nzherald.co.nz/nz/fresh-pro...
Since a breaking news banner has been put up, I'll point out that this appears to be a recap of the original Blackveil article from January 1st. While they are valid issues, I'm not sure that they rise to the level of a banner.
blackveil.co.nz/blog/managem...
Since a breaking news banner has been put up, I'll point out that this appears to be a recap of the original Blackveil article from January 1st. While they are valid issues, I'm not sure that they rise to the level of a banner.
blackveil.co.nz/blog/managem...
Reposted by Marcus
Sai reminded me of 2019 revelation of #DataBreach of Tū Ora Compass Health where up to 1M NZers' medical data was exposed in cyber attacks dating back to 2016 or earlier. What did #HealthNZ and PHOs learn from this? What should they have done? @utf9k.net
#NZpol
www.stuff.co.nz/dominion-pos...
#NZpol
www.stuff.co.nz/dominion-pos...
Stuff
www.stuff.co.nz
January 8, 2026 at 10:50 PM
Sai reminded me of 2019 revelation of #DataBreach of Tū Ora Compass Health where up to 1M NZers' medical data was exposed in cyber attacks dating back to 2016 or earlier. What did #HealthNZ and PHOs learn from this? What should they have done? @utf9k.net
#NZpol
www.stuff.co.nz/dominion-pos...
#NZpol
www.stuff.co.nz/dominion-pos...
Reposted by Marcus
Just found out that someone I know whose records are *extremely* sensitive was one of the victims. What a disgrace.
Confirmed today that my stuff is still there on Manage My Health, even though my GP practice shifted to TheDoctors nearly a year ago. The whole thing is so sloppy. I did have to compulsorily change my password first. Like my bloody password was the actual problem.
"MMH has offloaded responsibility of deleting their old accounts onto the patients but many people get signed up to such portals by their GPs switching to the platform. It should not be patients’ responsibility to delete accounts if they did not individually get into a contract with the platform"
January 8, 2026 at 8:12 PM
Just found out that someone I know whose records are *extremely* sensitive was one of the victims. What a disgrace.
I will be sleeping in tomorrow and I will be surprised if I wake up to any news
Hmm, I wonder if the ransom has been paid.
I overlooked it given all the new articles about Kazu that popped up this morning but they had taken down the various posts about MMH in their channel as well as the Tor ransom page.
I overlooked it given all the new articles about Kazu that popped up this morning but they had taken down the various posts about MMH in their channel as well as the Tor ransom page.
January 8, 2026 at 9:25 AM
I will be sleeping in tomorrow and I will be surprised if I wake up to any news
Reposted by Marcus
Then hacker comes in, with a stolen ticket. And then they ask for every coat on the rack. The instruction was "only give coats to people with tickets". Hacker has ticket. So, they give them all the coats.
The stolen ticket is not the issue here. It's that the instruction missed a crucial qualifier.
The stolen ticket is not the issue here. It's that the instruction missed a crucial qualifier.
January 8, 2026 at 7:58 AM
Then hacker comes in, with a stolen ticket. And then they ask for every coat on the rack. The instruction was "only give coats to people with tickets". Hacker has ticket. So, they give them all the coats.
The stolen ticket is not the issue here. It's that the instruction missed a crucial qualifier.
The stolen ticket is not the issue here. It's that the instruction missed a crucial qualifier.
Reposted by Marcus
The API is like the person at the coat check. There's a big rack of coats behind them, and they've been instructed to "only give coats to people with tickets".
No ticket? No coat. This is good! Someone comes with ticket, askes for a coat. They get their coat. This is good!
No ticket? No coat. This is good! Someone comes with ticket, askes for a coat. They get their coat. This is good!
January 8, 2026 at 7:58 AM
The API is like the person at the coat check. There's a big rack of coats behind them, and they've been instructed to "only give coats to people with tickets".
No ticket? No coat. This is good! Someone comes with ticket, askes for a coat. They get their coat. This is good!
No ticket? No coat. This is good! Someone comes with ticket, askes for a coat. They get their coat. This is good!
I really want to make sure that I do right by ManageMyHealth so I've taken the most generous interpretation of the injunction that I can to help them out :)
utf9k.net/blog/managem...
utf9k.net/blog/managem...
A recap of the ManageMyHealth data breach so far // utf9k
utf9k.net
January 8, 2026 at 8:21 AM
I really want to make sure that I do right by ManageMyHealth so I've taken the most generous interpretation of the injunction that I can to help them out :)
utf9k.net/blog/managem...
utf9k.net/blog/managem...
Ah geez, I guess I also have to redact (well, delete) any Bluesky posts mentioning what was in the samples as well as Reddit comments to adhere to the injunction 😮💨 This is going to take a while
January 8, 2026 at 7:21 AM
Ah geez, I guess I also have to redact (well, delete) any Bluesky posts mentioning what was in the samples as well as Reddit comments to adhere to the injunction 😮💨 This is going to take a while
www.rnz.co.nz/news/nationa...
It seems the excess load of people wanting to know if their data has been breached has crash the ManageMyHealth website 😄
It seems the excess load of people wanting to know if their data has been breached has crash the ManageMyHealth website 😄
Patients ask GPs for info on health records after Manage My Health security breach
Manage My Health was due to begin informing affected patients on Thursday and meanwhile has referred people to its website for more information.
www.rnz.co.nz
January 8, 2026 at 5:24 AM
www.rnz.co.nz/news/nationa...
It seems the excess load of people wanting to know if their data has been breached has crash the ManageMyHealth website 😄
It seems the excess load of people wanting to know if their data has been breached has crash the ManageMyHealth website 😄
After discussing this further with the Ministry of Health via direct email, they've confirmed that "this matter is within the Ministry's purview" and have reversed the transfer.
If you recall the 2024 OIA that was asking for audit findings from Te Whatu Ora on ManageMyHealth, Te Whatu Ora said they were aware of MoH having done reviews but didn't have access.
I filed an OIA with MoH who just said they're transferring it back to Te Whatu Ora 🤦
fyi.org.nz/request/3340...
I filed an OIA with MoH who just said they're transferring it back to Te Whatu Ora 🤦
fyi.org.nz/request/3340...
GP Security Reviews - a Official Information Act request to Ministry of Health
Back in April 2024, an OIA was submitted to the Office of Dr Shane Reti querying about any "audit findings, documents, and emails pertaining to the security of Medtech and
ManageMyHealth".
This reque...
fyi.org.nz
January 8, 2026 at 1:45 AM
After discussing this further with the Ministry of Health via direct email, they've confirmed that "this matter is within the Ministry's purview" and have reversed the transfer.