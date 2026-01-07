The attack was reported to authorities early on December 31 last year. Photo: Getty Images

People whose GPs no longer use Manage My Health may still have had their historical data hacked.

The health portal is New Zealand's biggest and used by general practices to relay information and dispatch subscriptions.

The attack was reported to authorities in the early hours of December 31 last year.

Hackers are threatening to release 400,000 files from 120,000 patients, if the health portal does not pay a $US60,000 ($NZ103,000) ransom.

Manage My Health has begun telling general practices whether their patients have been affected and is working on telling individual patients via a Privacy Act notification.

A number of people have told RNZ their GP had previously switched from Manage My Health to another platform, but they could still log in to Manage My Health and see their information there.

Manage My Health chief executive Vino Ramayah confirmed the company holds on to records unless a patient cancels their account.

It was up to patients to do this, not their GP, he said.

"When... a practice leaves Manage My Health, the patients have a choice to continue to use Manage My Health or they can close the application, in which case we will delete the data.

"It's essentially patient data - we need their consent because we'll be wiping out a lot of their historical data, so that is why it is stored."

People could use the platform privately - they do not need to use it through their GP, he said.

People should have "a level of personal diligence" with their Manage My Health accounts. Users should change their passwords regularly and use two-factor authentication, he said.

"I would encourage everyone to consider security as a very key part of your thinking, especially when you put sensitive information in an application, irrespective of whether it's Manage My Health or... any other healthcare app."

The Privacy Commissioner's website says health agencies should not keep medical information for any longer than they have a lawful purpose for using it.

"The Health (Retention of Health Information) Regulations 1996 say that health agencies must keep any health records they hold for a patient for 10 years from the last time they provided services to that patient.

"However, this requirement doesn't apply if the health agency has transferred the files to a new healthcare provider or if they have given the complete file to the patient (or, if the patient has died, to the patient's executor)."

Manage My Health said yesterday it was beginning to tell GPs if their patients were caught up in the breach.

It said affected GPs could log in to a portal to see which patients had their data stolen and what records were taken.

It would also inform practices that no longer use Manage My Health and was working on notifying affected patients.

"The Privacy Act requires individuals to be notified when their information has been accessed in an unauthorised way," it said.

"[Manage My Health] is taking on this responsibility on behalf of the practices, to which the information is being provided so that practices can provide support after individuals have been notified.

"Privacy Act notifications will go to practices through Manage My Health, together with details of how more information and support can be accessed."

Manage My Health would also establish an 0800 helpline for affected patients, it said.