GP clinics are scrambling to advise their frightened sufferers within the ongoing fallout from the Handle My Well being ransomware assault, with tons of of 1000’s of extremely delicate information in danger.
In its newest replace at 5pm on Wednesday, the corporate stated it could start notifying affected sufferers throughout the subsequent 24 hours and hoped to finish this course of by early subsequent week.
Notifications could be despatched initially by way of electronic mail to the tackle that was used to register the account, and would come with an 0800 quantity to name “for help and help”.
MMH had been liaising with Well being New Zealand, the Workplace of the Privateness Commissioner, Normal Follow NZ, and GP practices “to make sure sufferers obtain clear, constant info and don’t obtain a number of or complicated notifications from totally different organisations about the identical incident”.
Nonetheless, some sufferers instructed RNZ they’d already been straight contacted by their healthcare supplier to verify their paperwork had been stolen.
Some are questioning why practices didn’t do extra due diligence themselves, after it was revealed the portal retained affected person information even after they switched suppliers.
A Wairarapa girl instructed RNZ she was assured by her observe that her information couldn’t be in danger as they’d have been “archived and deleted” when it modified suppliers a yr in the past.
“Whereas I used to be there at reception, I simply opened the Handle My Well being app and all of my info was nonetheless there.
“I confirmed them the cellphone and there have been a number of shocked faces.”
She was instructed to contact Handle My Well being herself – however she contacted the observe supervisor mentioning the clinic additionally had a duty to tell sufferers.
“They’ve since emailed all sufferers with directions on how you can shut their accounts with Handle My Well being and in addition posted that info on-line.
“However none of us had been instructed on the time we modified over that we must always have individually closed our accounts, and it is a bit bit late to be doing that now.”
The girl stated the form of info that has been taken may very well be be misused for monetary scams and id fraud.
“In South Wairarapa we have a number of weak communities, there’s a number of aged individuals in the neighborhood and I am actually involved for my group and for my neighbours who may very well be affected by this.
“Individuals could not even discover there’s an issue till it is too late.”
Combined comms from clinics
Handle My Well being’s proprietor and chief govt Vino Ramayah instructed RNZ the corporate wanted every sufferers’ consent earlier than deleting their historic knowledge, even when they modified medical doctors, or their GP terminated the contract.
“Numerous our sufferers do not belong to a health care provider… So when a affected person leaves a health care provider’s observe, the sufferers have a option to proceed to make use of Handle My Well being or they’ll shut the applying, wherein case we’ll delete the info. “
Beneath its phrases of service, the corporate was obliged to retailer affected person knowledge till given specific route by sufferers “as a result of we might be wiping out a number of their historic knowledge”.
Since information of the cybersecurity breach broke, some clinics have been posting totally different on-line messages.
One Auckland GP observe community – which transitioned to a different supplier in November 2025 – texted sufferers to say MMH would “take duty for contacting any impacted people”.
Nonetheless, considered one of their sufferers stated a workers member subsequently assured her “there’s nothing to fret about, as they’ve eliminated all of their affected person’s information from MMH”.
Different clinics have appropriately suggested sufferers that among the paperwork accessed had been historic and will influence sufferers and suppliers who not used the MMH portal. They’ve directed individuals to MMH for up to date updates.
Te Kauwhata Well being Centre in Waikato instructed sufferers it was taking recommendation from its personal IT safety supplier to make sure methods had been “protected and safe” and ready for MMH to find out whether or not any of its personal sufferers’ knowledge was concerned.
“Handle My Well being is managing the notification course of and can contact affected individuals straight. Our observe cannot verify whether or not a person affected person was affected.”
Whereas MMH was assured the breach had been contained, the clinic urged sufferers to vary their passwords and allow two-factor authentication for their very own “peace of thoughts”.
In the meantime, sufferers had been warned to be cautious of scams and never share passwords or verification codes.
Tuki Tuki Medical in Waipukurau instructed sufferers confidentially that it had acquired “welcome affirmation” that none of its recordsdata had been impacted.
“Tuki Tuki Medical doesn’t use all of the modules obtainable by way of the MMH Portal which has saved your info safer.”
Masterton Medical instructed sufferers it ended its MMH contract on 4 September 2025, “so no latest affected person information was uploaded after that date. MMH remains to be investigating and can notify anybody affected”.
Nonetheless, one other affected person stated her observe had not given any recommendation about the potential for MMH retaining their info.
She stated when she contacted the observe supervisor, she was instructed the first well being organisation – which covers dozens of practices – had directed them “to not do something”.
“So she is… ‘simply ready’. I requested whether or not allegiance was to her clinic’s 18,000+ sufferers – or to the PHO and MMH.”
Sufferers frightened
A Wellington affected person, whom RNZ had agreed to not title, stated a healthcare supplier had confirmed to him that at the very least one doc of his was amongst these stolen by hackers.
“The observe supervisor confirmed to me it had instructed Handle My Well being to delete their consumer information as soon as migration [to another provider] was accomplished, however that did not occur.”
He logged into Handle My Well being and located greater than 200 paperwork of his had been nonetheless obtainable.
“I’ve bought a delicate declare and if the improper individuals bought maintain of the small print, my life could be in danger, and that is why I am spewing.
“I do know of others like me who’re additionally terrified.”
Having beforehand been the sufferer of different privateness breaches by healthcare suppliers, the person stated he had no belief of their means to maintain on-line knowledge protected.
“We have the federal government making an attempt to push for centralised medical storage that anybody anyplace within the nation can entry and I am like ‘Hell no, over my lifeless physique’.”
One other affected person stated there had been “zero communication” with sufferers from her observe.
“I am extremely disillusioned in not solely the hacking, however the deafening silence from my medical doctors and from Handle My Well being.
“I discovered this had occurred by way of a Fb group the place somebody had shared a information article about it.”
