Newsletter

“I Don’t Think People Are Taking It Seriously”: When a 71-Year-Old Pensioner Becomes Collateral” - 15 January 2025

Ivor Jones The Māori Green Ltn

11 min read
“I Don’t Think People Are Taking It Seriously”: When a 71-Year-Old Pensioner Becomes Collateral” - 15 January 2025

Paywalled Article

Kia ora whānau. Ko Ivor Jones tēnei, Te Māori Green Lantern.

Kaye McKenzie-Muirson is 71 years old. She lives in Tauranga. She is a pensioner. She received confirmation that her ManageMyHealth account was affected by the cyber breach. She is worried about identity theft.

“I don’t think people are taking it seriously” as she told the NZ Herald’s Bay of Plenty Times.

She is one of more than 127,000 users whose health records were compromised when hackers accessed ManageMyHealth’s systems on December 30, 2025, stealing more than 430,000 documents as the Bay of Plenty Times confirmed.

Kaye is right. People are not taking it seriously. Because if they were, a 71-year-old woman navigating retirement wouldn’t need to worry that her health records—potentially including passport scans, medication lists, and treatment histories—are now for sale on criminal markets.

This is the fifth stage of government failure: after choosing Northland as the testing ground, after cutting IT expertise, after four different patient counts to the same GP practice, after six months of silence for breast cancer patients, we now confront the individual human cost—where pensioners fear identity theft, pain medication patients fear home invasion, young people fear blackmail, and 127,000 New Zealanders discover that their choice to “take it seriously” was stripped from them by a system designed to prioritize profit over protection.

A man whose account was compromised told the Herald: “I wasn’t given much choice of regards using ManageMyHealth” as NewstalkZB documented.

IT consultant Cody Cooper, whose Hornby GP practice has 20,000 patients, explained the dynamic: “There’s a real push for online. It’s seen as convenient, but patients don’t have a lot of choice” as RNZ reported his testimony.

This is the architecture of abandonment: GP practices contract with ManageMyHealth because it’s “efficient.” Patients are enrolled automatically. Their health records—decades of intimate medical history—are uploaded to a third-party server. No meaningful choice. No Māori governance. No proactive security audits. Just the promise of “convenience” until 430,000 documents are stolen and 127,000 people discover they were never asked if they wanted their psychiatric assessments, nude medical photographs, and ADHD diagnoses stored on a server with baseline security protections missing.

“People Are Murdered for Less”: The Fear Hierarchy

The Young Face Employment Discrimination

The same man whose choice was stripped told the Herald about the specific vulnerability of younger users: “If you are young, there are many diagnoses which, if out in the public domain, could seriously affect travel, employment, insurance, social interactions and a whole range of other things” as NewstalkZB reported.

Mental health diagnoses. ADHD assessments. Sexual health histories. Addiction treatment records. For someone in their twenties or thirties building a career, applying for insurance, traveling overseas, these records—if leaked—could close doors for decades.

The Prescribed Face Physical Danger

The same man is on pain medication. His fear is visceral and immediate: “I live with considerable pain and am medicated for such. So what happens if all the druggies and crims know what’s here and where I live? People are murdered for less“ as documented by NewstalkZB.

This is not hypothetical anxiety. This is a patient calculating whether criminal gangs will target his home based on stolen health records revealing what controlled substances he has access to. People are murdered for less. That sentence should haunt every official who cut IT security budgets, every executive who deferred security upgrades, and every politician who commissioned slow reviews instead of immediate action.

The Documented Face Blackmail

“If your records get posted, you are inviting blackmail, a mental health crisis, or thieves if you are prescribed restricted drugs” as the same man told NewstalkZB.

IT consultant Cody Cooper, who examined samples of the stolen data before they were taken down, confirmed what’s at stake: “There’s people’s passports, there’s people’s ADHD documents from a psychiatrist, there’s pictures of people unclothed. It’s very personal data. And my concern as a patient would be, will someone blackmail people? Or try to extort them personally as well, if they don’t pay up?” as RNZ documented.

Nude medical photographs. Psychiatric assessments. Passport scans. These aren’t abstract “documents.” These are weapons for blackmail, tools for identity theft, and evidence that can destroy lives if weaponized by criminal gangs or vindictive ex-partners who gain access through dark web marketplaces.

“Their Silence Tells Me They Have No Idea”: The Communication Collapse

The 2:10am Automated Response

A Waikato man was frustrated he hadn’t heard whether his data was impacted. “I had to chase ManageMyHealth to ask ‘what is happening’ and whether my data was involved” as NewstalkZB reported.

He received a reply at 2:10am on January 10. No other communication since. “Their silence tells me they have no idea of what to do” as he told the Herald.

The email was automated corporate theatre as documented in full by NewstalkZB:

“Thank you for contacting ManageMyHealth... We understand that news of a cyber security incident can be distressing... Your support case has been logged... If our investigations confirm that your information was involved, you will be contacted directly. We wish to reassure you that the majority of users were not affected.

The majority. That sentence—designed to minimize, to deflect, to suggest that being in the affected minority is somehow less serious—was signed by an “unnamed support worker from the ManageMyHealth customer care department” with offices in New Zealand, Australia, and India as NewstalkZB noted.

The Missing Data Mystery

A Russell user received notification their account was compromised. They changed their password after four failed attempts—”I nearly gave up and then, hey presto, it came through” as NewstalkZB documented.

When they logged in: “It showed me as having notifications going back to March 2025. I have many more than that. My account goes back to 2020 but that’s not showing so what’s happened to all those notifications?” as they told the Herald.

They wanted to contact ManageMyHealth. “There’s no way to contact them.” “It’s a bit of a mess really” as NewstalkZB reported.

Barbara’s Contradiction

Barbara, an Auckland patient, received an email saying her data had NOT been impacted. “That was fine, I thought ‘oh well, good’” as she told RNZ.

Two days later: a second email saying YES, actually, her data WAS compromised. She was directed to change her password immediately. When she tried, the website was down. “I presume everybody who’s just been notified was trying to change their password immediately and it was overloaded” as she told RNZ.

Two contradictory emails. A crashed website. No ability to implement the security measures the company demanded she take immediately.

This is not complexity. This is systemic incompetence compounding trauma for 127,000 people.

“Patients Were Just Collateral Damage”: Cody Cooper’s Verdict

Cody Cooper examined the stolen data samples. His technical analysis revealed that the data was not encrypted: “You can infer this fairly safely because resetting passwords doesn’t cause users to ‘lose’ their stored documents. If the data had been encrypted properly with keys tied to credentials, access would break when credentials change” as RNZ documented.

He questioned the response timeline: “The hack was published around 10pm on 29 December, the MMH website notice appeared on the afternoon of 31 December, but the site wasn’t taken offline until that evening” as RNZ reported. Days later, “there is no clear confirmation about what was accessed or copied” which Cooper called “worrying” as documented.

His verdict on whether ManageMyHealth should pay the US$60,000 ransom: “They may still release the data anyway, they may still contact people, we have no way of knowing if they will honour it” as RNZ reported.

Then the sentence that captures everything: “Patients were just collateral damage” as Cooper told RNZ.

His personal response: “I will personally probably look to close my account. I can’t really have confidence in the system after this. Hopefully my clinic will find a solution that’s better” as RNZ documented.

The Hackers Criticizing ManageMyHealth’s Communication

The criminal group calling themselves “Kazu” posted their ransom demand on Telegram. They brought forward the deadline from January 15 to put pressure on the company. Their explanation includes a stunning indictment: “Their ignorance of our emails and messages, along with their failure to acknowledge users or explain exactly what happened, is the main issue. Many MMH users have been asking the company for an explanation, but they’ve either ignored them or responded with vague statements” as RNZ documented.

Even the criminals are criticizing ManageMyHealth’s communication.

Kazu described themselves as a business: “We’re not a hacktivist group with political motives. We’re doing this as a business. Our main goal is money and building a good reputation in the community” as RNZ reported. They claimed successful ransom payments from healthcare companies in Asia and Africa over the previous two months.

Healthcare data breaches as a business model. And ManageMyHealth—with 1.85 million registered users, baseline security protections missing, and a June 2025 warning ignored—was the “low-hanging fruit.”

The Privacy Law That Doesn’t Protect

Privacy lawyers are calling for urgent reform. Deputy Privacy Commissioner Liz MacPherson articulated the frustration: “The frustration for us at the Office of the Privacy Commissioner is that we continue to see complacency... a continuation of the ‘it’ll happen to somebody else, not to me’ type approach. And you have to ask the question, is the lack of a penalty regime part of that?“ as RNZ documented.

Current New Zealand penalties for privacy breaches:

  • Privacy Commissioner can fine $10,000 for specific circumstances only as RNZ detailed
  • Human Rights Review Tribunal can fine up to $350,000 max, but it’s “a pretty long haul to get all the way through there” as privacy lawyer Katrine Evans explained to RNZ

Australia’s penalties (for comparison):

  • Maximum A$50 million OR three times the benefit derived OR 30 percent of annual turnover as RNZ reported
  • For each contravention (multiply by number of victims)

Katrine Evans, chair of the Privacy Foundation: “The Privacy Commissioner’s Office has been calling for a long time... for a proper fining regime... So far that hasn’t happened, it’s now 2026 and it’s about time we had those in place” as RNZ documented.

She compared privacy law to health and safety: “There are really significant fines available for, say, workplace accidents, privacy is looking pretty weak“ as she told RNZ.

Privacy barrister Kathryn Dalziel was blunt: “My view is that the penalties regime is not a deterrent” as she told RNZ. “Any attack on a health system or health database causes fear for people... New Zealanders hold dear, the sensitivity of our health information” as she told RNZ.

The government’s response to calls for penalty reform? Duty Minister Casey Costello: “Not going to make up policy on the fly” as RNZ reported.

Translation: We’re doing nothing.

“If This Progresses... A Class Action Comes to Mind”

The man on pain medication, who fears home invasion, raised the accountability question: “If this progresses and is caused by incompetence, a class action comes to mind. Then it comes down to who is liable… would ManageMyHealth be legally responsible or the GP practices that purchased the product and loaded your records?” as NewstalkZB documented.

His daughter requested her records be removed from ManageMyHealth. She was told “it wasn’t necessary as it was safe now” as he told the Herald.

It’s safe now. After 430,000 documents were stolen. After nude medical photographs, psychiatric assessments, and passport scans were posted as samples on dark web marketplaces. After 127,000 people discovered they had no choice in whether their health whakapapa would be stored on a server with baseline security protections missing.

It’s safe now. Tell that to Kaye McKenzie-Muirson, worried about identity theft at 71. Tell that to the man calculating whether criminals will target his home for pain medication. Tell that to young people whose mental health diagnoses could close career doors for decades.

The Verdict

Kaye McKenzie-Muirson is right: “I don’t think people are taking it seriously.”

Because if they were:

  • Privacy law would have real penalties (A$50 million per contravention, not $10,000 for limited circumstances)
  • ManageMyHealth would have faced proactive government audits (not reactive reviews after catastrophe)
  • The June 2025 warning would have triggered immediate investigation (not password resets and silence)
  • 2,000+ Health NZ IT security staff would still have jobs (not efficiency savings)
  • Māori patients would have tino rangatiratanga over Māori health data (not private companies with no accountability to iwi)
  • 127,000 people would have meaningful choice about whether their health records were uploaded to third-party servers (not automatic enrollment)

But they weren’t taking it seriously. Because the system is designed to prioritize:

  • Profit over protection (private providers extracting fees while deferring security costs)
  • Convenience over consent (”patients don’t have a lot of choice”)
  • Efficiency over equity (2,000 IT jobs cut despite 98% of experts warning of harm)
  • Corporate deflection over accountability (unnamed support workers, 2:10am automated emails)

Patients were just collateral damage.

Kaye McKenzie-Muirson, 71, pensioner, Tauranga, worried about identity theft.

The man on pain medication: “People are murdered for less.”

Young people facing employment discrimination if mental health records leak.

Barbara receiving two contradictory emails, unable to change her password because the website crashed.

The Russell user watching years of health notifications disappear.

127,000 collateral casualties in a system where ManageMyHealth’s communication is so poor that even the criminal hackers criticize it, where privacy penalties are so weak that lawyers call them “not a deterrent,” where government response to reform calls is “not going to make up policy on the fly.”

He aha te mea nui o te ao? He tangata, he tangata, he tangata.

Unless you are ManageMyHealth. Then it’s profit, convenience, and “the majority of users were not affected.”

Unless you are this government. Then it’s cost-cutting, efficiency, and “any changes would require Cabinet consideration.”

Unless you are one of 127,000 people discovering that your choice to “take it seriously” was stripped by a system designed to make you collateral.

Kaye is right. They’re not taking it seriously. Because if they were, a 71-year-old woman wouldn’t need to fear identity theft while the government refuses to reform privacy penalties and ManageMyHealth sends automated emails at 2:10am saying “the majority were not affected.”

Koha—Support This Mahi

This investigation centered individual patient testimonies to expose the human cost of systemic failure.

Every koha signals that whānau stand with Kaye, the man fearing home invasion, Barbara facing contradictions, and 127,000 collateral casualties.

Kia kaha, whānau. You deserve privacy laws with real teeth. You deserve choice. You deserve better than “the majority were not affected.”

Research transparency: Analysis conducted January 15, 2026, using NZ Herald Bay of Plenty Times, RNZ, NewstalkZB, patient testimonies (Kaye McKenzie-Muirson, Russell user, Waikato man, Barbara, man on pain medication), IT consultant analysis (Cody Cooper), privacy lawyers (Katrine Evans, Kathryn Dalziel), and hacker communications. All URLs verified active. No synthetic data used.

Ivor Jones The Māori Green Lantern Fighting Misinformation And Disinformation From The Far Right

Read more