Contact

Manage My Health Is Not an Outlier: Why Small Health Providers Are Being Targeted—and Why Email Is Still the Front Door

By Andrew Johnston | 22 January 2026

Summary

The Manage My Health data breach wasn’t just one of New Zealand’s biggest cybersecurity incidents — it exposed a pattern affecting small and mid-sized healthcare providers nationwide. As privacy obligations race ahead of enforceable security standards, the incident points to a systemic risk and raises uncomfortable questions about how health data is really being protected.

Cybersecurity Expert Insights - Manage My Health data breach exposes risks to small and mid-sized healthcare providers.


The recent Manage My Health data breach–actual theft, has understandably drawn media and public attention. It involves sensitive health information, large numbers of affected individuals, and a platform relied on by many general practices across New Zealand.


The incident itself is serious, the greater risk lies in how it may be interpreted: as a one-off failure, or an unfortunate exception. It is neither.


What this incident represents is a visible example of a broader, ongoing trends showing the deliberate targeting of small and medium health organisations using low-cost, high-success attack techniques, with email as the primary initial access vector.

Small health providers are not “too small to target”

There is a persistent misconception that cyber attackers focus mainly on large hospitals, national health systems, or major insurers. In practice, the opposite is has become increasingly true. Small and mid-sized medical providers sit in a highly attractive position for threat actors:


  • They hold high-value, regulated data (clinical records, medications, diagnoses, NHI details)
  • They rely heavily on digital portals, cloud email, and third-party platforms
  • They typically operate with limited security maturity
  • They often lack continuous monitoring or formal incident response capability


From an attacker’s perspective, this combination delivers an excellent return on investment. Compromising one large organisation may generate headlines and scrutiny; compromising many smaller ones often goes unnoticed.


International healthcare breach data consistently shows that most incidents occur in smaller organisations, even though only the largest breaches tend to make the news. This creates a distorted perception that the problem is shrinking, when it is fragmenting.


The use of email using phishing and social engineering have been mentioned in the Liverton Security blogs in the past. A comment made to Radio NZ News regarding the lack of implementation of DMARC (Domain-based Message Authentication, Reporting, and Conformance) the manage My Health mail system may be a throwaway line, but it does point to the potential attack method using email to gain a foot hold.


The ENSA Threat Landscape 2025 which shows phishing is 60% of the official attack methods but when you bring in the other email attack methods malware, trojans and weaponised email can increase this to 80 percent of the potential attack surface


Data theft has replaced disruption as the primary goal

Historically, healthcare cyber incidents were associated with ransomware and service disruption. While ransomware remains a risk, many threat actors now prefer quiet data theft.


The reasons are straightforward:


  • Stolen health data has long-term resale value
  • Data can be monetised repeatedly
  • The victim organisation may not detect the breach for months
  • Reputational and legal consequences fall on the data holder, not the attacker


The Manage My Health incident aligns closely with this model. It was not about shutting down services or making a public statement. It was about access, extraction, and persistence.


“Server breach” statistics hide the real entry point

Cybersecurity Expert Insights - Cyber attackers often exploit social engineering and email phishing.


To get an idea of scale from the US department of Health and Human Services report there are 744 cases under investigation with 500 or more patient records being impacted of which 543 were reported in 2025. The statistics show that 22% of the exploits are email based and 63.7% are computer server based.


Healthcare breach reporting often categorises incidents as:


  • Email-based
  • Server-based
  • Application-based


At face value, this suggests that email accounts for only a minority of attacks as shown in the 22% calculation above. However, this classification is misleading.


In many cases, an incident is recorded as “server-based” because the data was ultimately accessed from a server. What this fails to capture is how the attacker obtained valid access in the first place. This means that the attacker exploits such as social engineering and email phishing attacks are being under reported as email-based attack methods


In practice, the most common attack chain looks like this:


  1. A phishing or impersonation email is sent
  2. Credentials or session tokens are captured
  3. The attacker logs in legitimately
  4. Backend systems are accessed using real user accounts
  5. Data is downloaded without triggering alarms


From a logging perspective, the breach appears to originate at the server. From a security perspective, email was the enabling control failure.


Why email works so well in healthcare

Healthcare environments are particularly vulnerable to email-based attacks due to their operating model.


Common factors include:


  • High trust between staff and external providers
  • Frequent email interaction with labs, insurers, portals, and specialists
  • Time pressure that discourages verification
  • Shared or delegated inbox access
  • Common User ID and Passwords (simplification or licencing cost reduction)
  • Inconsistent identity governance


Attackers exploit this by impersonating:


  • Practice managers or senior clinicians
  • Patient portal notifications
  • Password reset requests
  • Third-party service providers


Where email authentication controls such as DMARC are not enforced, these impersonation attempts become significantly harder to distinguish from legitimate communications.


This is why seemingly minor technical details - such as whether DMARC is set to “monitor” or “reject” - matter. They determine whether fraudulent email is merely observed, or actively blocked.


Why breaches often go undetected for long periods

Small health providers rarely have the capability to detect subtle data theft in real time.


Typical gaps include:


  • No baseline for “normal” data access volumes
  • Limited audit logging or log review
  • No behavioural analysis of user activity
  • No alerts for abnormal download patterns
  • Reliance on third parties to report issues


As a result, attackers can operate slowly and deliberately, extracting data in small volumes over time. This reduces the likelihood of detection and avoids triggering operational disruption that might prompt investigation.


By the time a breach is discovered, the data has often already been copied, transferred, and distributed.


The human impact is not captured in statistics

Cybersecurity Expert Insights - Email-based cyber attacks in the healthcare industry.
Photo: Getty Images


Breach reporting focuses on record counts, timelines, and compliance actions. What it does not adequately reflect is the human impact of health data exposure.


For affected individuals, this can include:


  • Anxiety about who has accessed their medical history
  • Loss of trust in clinicians and digital health services
  • Fear of future discrimination or misuse
  • Long-term identity and privacy concerns


Health data is uniquely sensitive. Unlike passwords or credit cards, it cannot be changed. Once exposed, the impact is permanent.


This is why healthcare breaches carry consequences far beyond financial cost or regulatory penalties and must be managed and assessed as such.


A regulatory gap between privacy and security

In New Zealand, health information is covered by well-established privacy and retention obligations. However, privacy compliance does not equate to security assurance.


In NZ we have a lack of coherent legislation that information storage organisations such as Manage My Health must adhere to.


For data storage there is the Health Retention of Health Information regulations 1996 the Health Information Privacy code 2020. These do not cover the protection of the health information which is where the New Zealand Information Security Manual (NZISM) and Protective Security Requirements (PSR), legislation comes into effect. This is the hole in the process that Manage My Health is providing a service to GP’s has the following escape from NZISM compliance requirements “private sector organisations are also encouraged to use the NZISM”. This is a legislative loophole that needs to be investigated and patched. Organisations such as Manage My Health that provide services to the NZ public must comply to similar legislation that providers to the DIA Market Place haver to comply to and are audited against.


In short public sector agencies are required to comply with the NZISM and PSR, private sector health platforms are often only encouraged to do so.


This creates a structural gap:


  • Organisations can lawfully collect and store health data
  • Without being required to meet equivalent security control standards
  • Or having to undergo independent security assurance


As digital health platforms increasingly operate at national scale, this distinction becomes harder to justify. The risk to citizens does not diminish simply because a service is delivered by a private provider.


What this incident should change

The Manage My Health breach should not be viewed as an isolated failure of one organisation. It should be treated as a case study in systemic risk.


Key lessons include:


  • Small health providers are not low risk by default
  • Email remains the dominant initial access vector
  • Credential-based attacks are hard to detect without maturity
  • Privacy obligations alone do not ensure protection
  • Encouraged standards are not the same as enforced ones


Addressing these issues does not require every practice to become a security operations centre. But it does require baseline expectations, clear accountability, and realistic recognition of modern threat behaviour.

 

Closing thought

This was not a sophisticated, nation-state attack exploiting zero-day vulnerabilities. It was far more concerning than that.


It was predictable.


  • Predictable because health data is valuable.
  • Predictable because email remains trusted.
  • Predictable because security maturity is uneven.


Until these realities are addressed collectively, similar incidents will continue, quietly, repeatedly, and often unnoticed.

 

Liverton Security provides services that will allow organisation to secure your email services using our MailAdviser and SmartGate applications that ensure your emails get to the right person, manage and filter email threats before they arrive in your organisation. Liverton Security Consulting provides education, training, vCiso, PEN Testing and compliance reviews and audits




About Liverton Security


Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.


As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.