Marcus
@utf9k.net
Reposted by Marcus
"Rachel said she had received the same results via the new app, so it was not clear whether the GP was still receiving results from the lab via Manage My Health, or the systems were still integrated in some way."
The GP PMS pushes TO MMH, so yeah, someone didn't turn that off
The GP PMS pushes TO MMH, so yeah, someone didn't turn that off
January 7, 2026 at 11:31 PM
"Rachel said she had received the same results via the new app, so it was not clear whether the GP was still receiving results from the lab via Manage My Health, or the systems were still integrated in some way."
The GP PMS pushes TO MMH, so yeah, someone didn't turn that off
The GP PMS pushes TO MMH, so yeah, someone didn't turn that off
I've since clarified that I'm being asked to redact portions of my blog post, while I will be actioning later today once I'm home from work
Oh, I didn't see this until just now but I am honoured to have been personally served a copy of the injunction.
They said they "refer to my blog post" but it isn't explicitly clear to me if they are implying that "information obtained from it" means they would like me to remove or redact it?
They said they "refer to my blog post" but it isn't explicitly clear to me if they are implying that "information obtained from it" means they would like me to remove or redact it?
January 7, 2026 at 11:13 PM
I've since clarified that I'm being asked to redact portions of my blog post, while I will be actioning later today once I'm home from work
A frontend configuration change for ManageMyHealth was just released which appears to have enabled the patient breach report
January 7, 2026 at 10:30 PM
A frontend configuration change for ManageMyHealth was just released which appears to have enabled the patient breach report
The (currently unannounced?) ManageMyHealth helpline is 0800 747 778 if you'd like to talk to someone about the breach
January 7, 2026 at 8:58 PM
The (currently unannounced?) ManageMyHealth helpline is 0800 747 778 if you'd like to talk to someone about the breach
If a ransom was paid, and I think it was stated as requested in Bitcoin, it should technically be possible to find the transaction.
We know a rough window of time but the amount could vary based on further discounts and/or a price increase for confidentiality
We know a rough window of time but the amount could vary based on further discounts and/or a price increase for confidentiality
January 7, 2026 at 8:38 PM
If a ransom was paid, and I think it was stated as requested in Bitcoin, it should technically be possible to find the transaction.
We know a rough window of time but the amount could vary based on further discounts and/or a price increase for confidentiality
We know a rough window of time but the amount could vary based on further discounts and/or a price increase for confidentiality
Hmm, I wonder if the ransom has been paid.
I overlooked it given all the new articles about Kazu that popped up this morning but they had taken down the various posts about MMH in their channel as well as the Tor ransom page.
I overlooked it given all the new articles about Kazu that popped up this morning but they had taken down the various posts about MMH in their channel as well as the Tor ransom page.
January 7, 2026 at 9:03 AM
Hmm, I wonder if the ransom has been paid.
I overlooked it given all the new articles about Kazu that popped up this morning but they had taken down the various posts about MMH in their channel as well as the Tor ransom page.
I overlooked it given all the new articles about Kazu that popped up this morning but they had taken down the various posts about MMH in their channel as well as the Tor ransom page.
Reposted by Marcus
As of 21:25 (so 5 minutes before 9:30pm) that "banner" seems to entirely replace the login page, there's no option to log in. So perhaps they started early.
January 7, 2026 at 8:27 AM
As of 21:25 (so 5 minutes before 9:30pm) that "banner" seems to entirely replace the login page, there's no option to log in. So perhaps they started early.
ManageMyHealth have just put a banner up on their sign-in page stating that they will be performing scheduled maintenance at 9:30pm - 10:00pm and that their systems will be unavailable during that period.
app.managemyhealth.co.nz/authenticati...
app.managemyhealth.co.nz/authenticati...
Manage My Health Patient Portal
ManageMyHealth™ is a secure health portal that provides 24/7 access to your health records, video consultations, hospital letters, referrals, appointment bookings, repeat prescriptions, and direct mes...
app.managemyhealth.co.nz
January 7, 2026 at 8:20 AM
ManageMyHealth have just put a banner up on their sign-in page stating that they will be performing scheduled maintenance at 9:30pm - 10:00pm and that their systems will be unavailable during that period.
app.managemyhealth.co.nz/authenticati...
app.managemyhealth.co.nz/authenticati...
Reposted by Marcus
New Zealand’s privacy watchdog and Manage My Health were both warned of security issues with the Manage My Health platform six months before hackers would hold patients' private health data as ransom.
Manage My Health, Privacy Commissioner warned of security risks six months ago
ebx.sh
January 7, 2026 at 5:46 AM
New Zealand’s privacy watchdog and Manage My Health were both warned of security issues with the Manage My Health platform six months before hackers would hold patients' private health data as ransom.
If you recall the 2024 OIA that was asking for audit findings from Te Whatu Ora on ManageMyHealth, Te Whatu Ora said they were aware of MoH having done reviews but didn't have access.
I filed an OIA with MoH who just said they're transferring it back to Te Whatu Ora 🤦
fyi.org.nz/request/3340...
I filed an OIA with MoH who just said they're transferring it back to Te Whatu Ora 🤦
fyi.org.nz/request/3340...
GP Security Reviews - a Official Information Act request to Ministry of Health
Back in April 2024, an OIA was submitted to the Office of Dr Shane Reti querying about any "audit findings, documents, and emails pertaining to the security of Medtech and
ManageMyHealth".
This reque...
fyi.org.nz
January 7, 2026 at 5:41 AM
If you recall the 2024 OIA that was asking for audit findings from Te Whatu Ora on ManageMyHealth, Te Whatu Ora said they were aware of MoH having done reviews but didn't have access.
I filed an OIA with MoH who just said they're transferring it back to Te Whatu Ora 🤦
fyi.org.nz/request/3340...
I filed an OIA with MoH who just said they're transferring it back to Te Whatu Ora 🤦
fyi.org.nz/request/3340...
managemyhealth.co.nz/mmh-cyber-br...
MMH state police advice is to not interact with hackers, they will behind notifying patients in the next 24 hours via email, they are establishing an advisory board and their mobile app will instead redirect to their web app temporarily.
MMH state police advice is to not interact with hackers, they will behind notifying patients in the next 24 hours via email, they are establishing an advisory board and their mobile app will instead redirect to their web app temporarily.
MMH Cyber Breach Update 7 January 2026 | Manage My Health
Further to our 6 January 2026 statement regarding the cybersecurity incident, Manage My Health provides the following update.
managemyhealth.co.nz
January 7, 2026 at 4:55 AM
managemyhealth.co.nz/mmh-cyber-br...
MMH state police advice is to not interact with hackers, they will behind notifying patients in the next 24 hours via email, they are establishing an advisory board and their mobile app will instead redirect to their web app temporarily.
MMH state police advice is to not interact with hackers, they will behind notifying patients in the next 24 hours via email, they are establishing an advisory board and their mobile app will instead redirect to their web app temporarily.
Oh, I didn't see this until just now but I am honoured to have been personally served a copy of the injunction.
They said they "refer to my blog post" but it isn't explicitly clear to me if they are implying that "information obtained from it" means they would like me to remove or redact it?
They said they "refer to my blog post" but it isn't explicitly clear to me if they are implying that "information obtained from it" means they would like me to remove or redact it?
January 7, 2026 at 4:53 AM
Oh, I didn't see this until just now but I am honoured to have been personally served a copy of the injunction.
They said they "refer to my blog post" but it isn't explicitly clear to me if they are implying that "information obtained from it" means they would like me to remove or redact it?
They said they "refer to my blog post" but it isn't explicitly clear to me if they are implying that "information obtained from it" means they would like me to remove or redact it?
Reposted by Marcus
That’s one of the hardest parts of PCI compliance, keeping credit card details out of places they should never be in the first place.
January 7, 2026 at 3:58 AM
That’s one of the hardest parts of PCI compliance, keeping credit card details out of places they should never be in the first place.
As a small anecdote, sometimes customers can also be just as bad.
At a previous company I worked at, our customers (businesses) would keep putting their customers (citizens) credit card numbers in an unencrypted notes field.
That product team tried blocking CC formats, putting a banner, all sorts
At a previous company I worked at, our customers (businesses) would keep putting their customers (citizens) credit card numbers in an unencrypted notes field.
That product team tried blocking CC formats, putting a banner, all sorts
OPINION: The Latitude Financial breach is barely remembered by the public. We’ve since slept-walk to the latest privacy disaster.
My health data was among those hacked - here’s why I’m not surprised
OPINION: The Latitude Financial breach is barely remembered by the public. We’ve since slept-walk to the latest privacy disaster.
dlvr.it
January 7, 2026 at 3:49 AM
As a small anecdote, sometimes customers can also be just as bad.
At a previous company I worked at, our customers (businesses) would keep putting their customers (citizens) credit card numbers in an unencrypted notes field.
That product team tried blocking CC formats, putting a banner, all sorts
At a previous company I worked at, our customers (businesses) would keep putting their customers (citizens) credit card numbers in an unencrypted notes field.
That product team tried blocking CC formats, putting a banner, all sorts
It's unclear whether they are referring to MMH, Saudi Icon, a new unrelated breach or a combination of these three.
I have been touching grass for a couple hours so I'm just catching up now
I have been touching grass for a couple hours so I'm just catching up now
January 7, 2026 at 3:05 AM
It's unclear whether they are referring to MMH, Saudi Icon, a new unrelated breach or a combination of these three.
I have been touching grass for a couple hours so I'm just catching up now
I have been touching grass for a couple hours so I'm just catching up now
Here's the Neighbourly judgment
cdn.utf9k.net/documents/00...
I haven't been following the story myself so I'm not sure if the stats are new: 213 million lines of data totalling 150GB (according to the seller's listing)
No real technical insight at all
cdn.utf9k.net/documents/00...
I haven't been following the story myself so I'm not sure if the stats are new: 213 million lines of data totalling 150GB (according to the seller's listing)
No real technical insight at all
cdn.utf9k.net
January 6, 2026 at 11:35 PM
Here's the Neighbourly judgment
cdn.utf9k.net/documents/00...
I haven't been following the story myself so I'm not sure if the stats are new: 213 million lines of data totalling 150GB (according to the seller's listing)
No real technical insight at all
cdn.utf9k.net/documents/00...
I haven't been following the story myself so I'm not sure if the stats are new: 213 million lines of data totalling 150GB (according to the seller's listing)
No real technical insight at all
Something I forgot to mention is that until now, the presence of lab results etc in the samples seemed to contradict only Health Documents being targeted, given there are dedicated tabs in-app for lab results etc
This article removed that contradiction in my mind and explains how both can be true
This article removed that contradiction in my mind and explains how both can be true
Some very good stuff in there, like even the origin of Kazu's avatar
I'll surface this one part as it's important but only a claim.
> Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.
www.nzherald.co.nz/nz/hacker-cl...
I'll surface this one part as it's important but only a claim.
> Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.
www.nzherald.co.nz/nz/hacker-cl...
'I do it for the money': Hacker claims to be behind health data breach
'Don’t worry, this will be over soon,' the person identifying as the hacker Kazu said.
www.nzherald.co.nz
January 6, 2026 at 11:07 PM
Something I forgot to mention is that until now, the presence of lab results etc in the samples seemed to contradict only Health Documents being targeted, given there are dedicated tabs in-app for lab results etc
This article removed that contradiction in my mind and explains how both can be true
This article removed that contradiction in my mind and explains how both can be true
Not to be forgotten, I've also asked the Auckland High Court for a copy of the Neighbourly judgment so maybe we'll get some technical details too.
I'll share a copy (if the publishers notes allow) once I get it.
I guess DocumentCloud is what you're meant to use but I don't use MuckRock 😄
I'll share a copy (if the publishers notes allow) once I get it.
I guess DocumentCloud is what you're meant to use but I don't use MuckRock 😄
January 6, 2026 at 10:47 PM
Not to be forgotten, I've also asked the Auckland High Court for a copy of the Neighbourly judgment so maybe we'll get some technical details too.
I'll share a copy (if the publishers notes allow) once I get it.
I guess DocumentCloud is what you're meant to use but I don't use MuckRock 😄
I'll share a copy (if the publishers notes allow) once I get it.
I guess DocumentCloud is what you're meant to use but I don't use MuckRock 😄
Reposted by Marcus
THIS.
The next phishing campaign will be fake breach notifications that ask you to log in to view the notifications.
January 6, 2026 at 9:47 PM
THIS.
Kazu seems to have taken down the message in their Telegram channel claiming that they were in Cuba.
They also scrubbed the contents of the original forum post advertising the MMH data for sale, about 30 minutes ago.
Perhaps they are getting annoyed at all the incoming media questions
They also scrubbed the contents of the original forum post advertising the MMH data for sale, about 30 minutes ago.
Perhaps they are getting annoyed at all the incoming media questions
January 6, 2026 at 9:55 PM
Kazu seems to have taken down the message in their Telegram channel claiming that they were in Cuba.
They also scrubbed the contents of the original forum post advertising the MMH data for sale, about 30 minutes ago.
Perhaps they are getting annoyed at all the incoming media questions
They also scrubbed the contents of the original forum post advertising the MMH data for sale, about 30 minutes ago.
Perhaps they are getting annoyed at all the incoming media questions
Reposted by Marcus
🤣
If we're talking biz this is terrible ROI for a lot of work, though I guess it's not like they burned any valuable oday for it, so... ¯\_(ツ)_/¯
If we're talking biz this is terrible ROI for a lot of work, though I guess it's not like they burned any valuable oday for it, so... ¯\_(ツ)_/¯
January 6, 2026 at 9:21 PM
🤣
If we're talking biz this is terrible ROI for a lot of work, though I guess it's not like they burned any valuable oday for it, so... ¯\_(ツ)_/¯
If we're talking biz this is terrible ROI for a lot of work, though I guess it's not like they burned any valuable oday for it, so... ¯\_(ツ)_/¯
Yesterday just ended up being even more eventful than all of the previous days 🤦♂️
That said, it seems like all of the major news outlets are in direct contact with Kazu (a few I gave directions on how) so hopefully I have now put myself out of a job
That said, it seems like all of the major news outlets are in direct contact with Kazu (a few I gave directions on how) so hopefully I have now put myself out of a job
Anywho, I'm off to work now and with The Post catching news before I did, it's probably time for me to retire my temporary journalism hat and to return to being a regular, boring citizen.
Thanks for everyone who took an interest in my updates!
Thanks for everyone who took an interest in my updates!
January 6, 2026 at 9:18 PM
Yesterday just ended up being even more eventful than all of the previous days 🤦♂️
That said, it seems like all of the major news outlets are in direct contact with Kazu (a few I gave directions on how) so hopefully I have now put myself out of a job
That said, it seems like all of the major news outlets are in direct contact with Kazu (a few I gave directions on how) so hopefully I have now put myself out of a job
Some very good stuff in there, like even the origin of Kazu's avatar
I'll surface this one part as it's important but only a claim.
> Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.
www.nzherald.co.nz/nz/hacker-cl...
I'll surface this one part as it's important but only a claim.
> Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.
www.nzherald.co.nz/nz/hacker-cl...
'I do it for the money': Hacker claims to be behind health data breach
'Don’t worry, this will be over soon,' the person identifying as the hacker Kazu said.
www.nzherald.co.nz
January 6, 2026 at 8:35 PM
Some very good stuff in there, like even the origin of Kazu's avatar
I'll surface this one part as it's important but only a claim.
> Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.
www.nzherald.co.nz/nz/hacker-cl...
I'll surface this one part as it's important but only a claim.
> Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.
www.nzherald.co.nz/nz/hacker-cl...
I haven't done any close analysis of every timestamp but thinking back to when I've seen them active, I think that could plausible.
They tend to stop responding around 4pm (10pm CST) and I've seen them online as early as midnight (6am CST)
They tend to stop responding around 4pm (10pm CST) and I've seen them online as early as midnight (6am CST)
I'm not entirely sure.
Earlier today, they quote an excerpt from Simeon Brown about forensics working to narrow down the country in their Telegram with a caption that they're in Cuba.
No way to verify that but they did also express their reaction to the investigation with a popcorn eating sticker
Earlier today, they quote an excerpt from Simeon Brown about forensics working to narrow down the country in their Telegram with a caption that they're in Cuba.
No way to verify that but they did also express their reaction to the investigation with a popcorn eating sticker
January 6, 2026 at 11:30 AM
I haven't done any close analysis of every timestamp but thinking back to when I've seen them active, I think that could plausible.
They tend to stop responding around 4pm (10pm CST) and I've seen them online as early as midnight (6am CST)
They tend to stop responding around 4pm (10pm CST) and I've seen them online as early as midnight (6am CST)
Yesterday, I had emailed the NCSC to report that Kazu mentioned IPFS would be the distribution mechanism of choice if the breach is distributed.
I had also asked, in the event that I learn anything useful, where can I send it because their reporting forms are not geared towards generic tips
I had also asked, in the event that I learn anything useful, where can I send it because their reporting forms are not geared towards generic tips
January 6, 2026 at 9:43 AM
Yesterday, I had emailed the NCSC to report that Kazu mentioned IPFS would be the distribution mechanism of choice if the breach is distributed.
I had also asked, in the event that I learn anything useful, where can I send it because their reporting forms are not geared towards generic tips
I had also asked, in the event that I learn anything useful, where can I send it because their reporting forms are not geared towards generic tips