The Northern Express Herald

Hacker claiming to be behind ManageMyHealth breach: ‘I do it for the money and I’m in negotiations to get it’

The hacker claiming to be behind the breach of New Zealand patient portal ManageMyHealth says a negotiator is working with the company to get a ransom paid.

“Don’t worry, this will be over soon, and everyone will be satisfied,” the person identifying as the hacker Kazu told the Herald through the Telegram messaging app.

The Herald interviewed Kazu after finding contact details on the dark web associated with ManageMyHealth data and details of other hacks.

Electronic footprints followed by the Herald link Kazu to the ManageMyHealth hack. It is unclear where in the world the hacker is operating from, their gender or age.

Kazu told the Herald they are responsible for hacking ManageMyHealth and health-related companies are their main focus.

“First, I target random healthcare-related companies worldwide because I’m sure this type of breach would get a lot of attention, and there was a high chance the company would pay the ransom,” the hacker said.

The ransom demand was set at US$60,000 ($103,500) and the deadline for payment extended to Friday morning.

Kazu told the Herald ransom demands were pitched at levels to encourage payment. They shared an example of a healthcare company that faced a much higher demand when it didn’t act quickly enough.

“The ransom was changed from US$200,000 to US$500,000 because the company just ignore us and we also breach them again and gain access to their whole database,” the hacker claimed, referring to a separate overseas case.

The avatar used by hacker Kazu, taken from the computer game Cry of Fear.
The avatar used by hacker Kazu, taken from the computer game Cry of Fear.

ManageMyHealth has said it learned of the hack on December 30, telling the Office of the Privacy Commissioner on January 1 before making its first public statement.

The disclosure of the hack caused alarm among users of the New Zealand patient portal that offers online management of health-related matters, including medical results, prescriptions and medical appointments, among other services.

Kazu said the vulnerability was identified weeks before it was exploited, claiming that had the company been more vigilant it could have stopped them from obtaining about 400,000 health records.

ManageMyHealth has estimated about 6-7% of its 1.8 million New Zealand users could have been affected, with some people losing multiple records. It has said the underlying patient record infrastructure was not compromised, nor were passwords and usernames.

But it has admitted – and Kazu confirmed to the Herald – the breach occurred in the “health documents” section of its website.

“MMH already say only the document part in their website is affected and it true,” the hacker said.

That section is an area where patients and medical workers upload health-related material to individual accounts to be accessed and stored on the site.

It does not include regular communications with medical professionals, doctor’s notes or lab results unless communicated through a physical copy that is then scanned and uploaded.

Kazu said the company’s response was swift and professional, and that delays in direct contact were understandable.

“The company reacted quickly to the data breach and did its best to calm users. I respect that,” they said.

“I think the company was slow to contact me because they received many ransom emails from scammers pretending to be me, so they needed time to confirm who was really responsible for the incident.”

Health Minister Simeon Brown has tasked the Ministry of Health with reviewing the response to the MangeMyHealth cyber attack. Photo / Jason Dorday
Health Minister Simeon Brown has tasked the Ministry of Health with reviewing the response to the MangeMyHealth cyber attack. Photo / Jason Dorday

Asked whether the breach was technically easy, Kazu would not comment on specifics but said ManageMyHealth would disclose that information itself.

The dark web site on which Kazu’s contact details were found also contained samples of ManageMyHealth files. It also held documents belonging to a Middle East company facing a ransomware demand.

Kazu told the Herald there had been an accidental uploading of patient information beyond the original limited sample of ManageMyHealth patient information posted online.

A further 180-plus records had been accidentally uploaded to the Middle Eastern ransom target but had since been deleted, the hacker said.

The Herald knows of at least one person who has downloaded the information and sent it to the Office of the Privacy Commissioner.

In another section of the website there were dozens of examples of other hacks Kazu claimed to have carried out. Those hacks offered sample documents and claimed to have obtained health records, welfare records and – in the case of a Southeast Asian nation – its entire police database.

Kazu told the Herald they carried out ransomware attacks as a way of making money.

“For money – yes, most companies do pay the ransom. In fact, even if the government does not allow it, they pay privately without disclosing it,” the hacker said.

Kazu acknowledged public concern about the impact on patients whose private medical records may have been accessed and hoped the company would pay and apologise.

“Personally I wish MMH will pay the ransom and simply apologise to the users for their negligence,” the hacker said.

“And in my side I will delete the files and never say anything else related to MMH.”

ManageMyHealth has estimated about 6-7% of its 1.8 million New Zealand users could have been affected by the data breach. Photo / Supplied
ManageMyHealth has estimated about 6-7% of its 1.8 million New Zealand users could have been affected by the data breach. Photo / Supplied

Kazu also claimed they would delete records belonging to minors and elderly patients regardless of whether a ransom was paid.

“The files contain PII (personally identifiable information) of users under 18. Even if they don’t pay the ransom, I will do my best to delete all data related to users under 18 and over 70,” the hacker said.

Kazu rejected the suggestion they acted without restraint, saying they could have sold the data quietly for a smaller amount without publicity.

“I was able to sell the files to some buyers for US$3000–US$7000 without announcing the breach and get a lot of attention,” Kazu said.

“But I give the company a chance to protect the users’ data with a low ransom.”

Kazu said ransom amounts were calculated based on several factors.

“The ransom is set depend[ing] on the situation + the size of the data + the record and the company revenue + company reaction,” they said.

Kazu said their reputation also helped secure ransoms because they had a clear track record. They disclosed an earlier handle – “Itsuki” – had helped them build an online profile.

“That was before owning some reputation in the community,” the hacker said, referring to a US$30,000 ransom demand in an overseas government-sector breach.

When asked whether they considered themselves a hacker with a conscience, Kazu replied, “maybe”.

When asked about their identity, Kazu claimed to be “male – 12 years old” before laughing off the question. Kazu said they worked alone but that a third party handled negotiations.

“I work alone but my negotiator take care of communication part,” the hacker said.

Kazu said their online avatar drawn from the psychological horror game Cry of Fear had no symbolic meaning. “I choose it randomly.”

Cry of Fear was a cult hit modification of the Half-Life classic set in a bleak urban environment with mental-health themes to tell a story grounded in fear and isolation.

Kazu said reporting to date had misrepresented them and claimed they would soon demonstrate they were “not the bad guy in this breach”, but declined to elaborate.

The interview followed an online post from Kazu in which they set out their version of events, their rationale for the ransom demand and their justification for targeting the healthcare sector.

Kazu expanded on the timing of the hack, saying it was left until the Christmas and New Year holiday period because most staff at the company would not have been working. In the post, they described ManageMyHealth’s security as “weak” and lacking “basic security protocols”.

Kazu said in the post that paying ransom protected data and their reputation depended on deleting files after payment. They claim healthcare organisations in Africa and Asia have paid them ransoms in recent months, leaving both sides “satisfied”.

The hack has caused alarm, with samples of the files revealing clinical notes, medical imagery and test results raising concerns about identity fraud, extortion and blackmail.

ManageMyHealth has since obtained High Court injunctions intended to prevent the spread of the material.

The company has yet to respond to questions arising from this interview with Kazu but has issued a new statement saying it has identified and notified the first group of affected doctors’ surgeries.

The statement said: “We continue to work around the clock and closely with authorities and agencies to respond to this incident and resolve the matter for patients and general practices.

“We sincerely apologise for the pain and anxiety this incident has caused to our providers and patients, as a result of this activity against our systems.”

Minister of Health Simeon Brown has commissioned a Ministry of Health review into the incident and safeguards around digital health platforms.

The breach appears to have exceeded that of the former Waikato District Health Board, which suffered a 2021 ransomware attack that led to the personal details of about 4200 people being exposed online.

David Fisher is based in Northland and has worked as a journalist for more than 30 years, winning multiple journalism awards including being twice named Reporter of the Year and being selected as one of a small number of Wolfson Press Fellows to Wolfson College, Cambridge. He first joined the Herald in 2004.

Sign up to The Daily H, a free newsletter curated by our editors and delivered straight to your inbox every weekday.