Newsletter

"“Incredibly Concerned”: The Ransom Deadline, The Repeated Warnings, and Simeon Brown’s 30-Day Delay While" - 6 January 2026

126,000 Victims Wait for Justice

Ivor Jones The Māori Green Ltn

06 Jan 2026 — 24 min read

The Ransom Deadline: What Happened at 5:37am

Koha: Support This Mahi

The corporate media won’t connect these dots. The government won’t investigate itself. The Privacy Commissioner admitted New Zealand has zero penalties—AFTER 126,000 people’s data was stolen.

This is why independent, evidence-based, uncompromising accountability journalism matters.

Every essay: 80+ verified sources. Every claim: fact-checked. Every connection: documented. Every URL: tested. No corporate funding. No government grants. No compromises.

Just truth, served scathingly to power—before the 30-day delay makes everyone forget.

Three ways to support:

Koha (voluntary contribution): Support The Māori Green Lantern
Substack subscription: Subscribe for direct delivery
Direct bank transfer: HTDM, account number 03-1546-0415173-000

Every koha signals that whānau are ready to fund the accountability that Crown and corporate structures will not provide.

Kia kaha. Stay vigilant. Stay connected.

And remember: When the Health Minister delays investigation for 30 days, when the Privacy Commissioner admits zero penalties, and when 126,000 victims learn through Reddit—the system isn’t broken. It’s working exactly as designed.

Our job is to break it. And build something better.

On January 6, 2026, at 5:37am, the deadline expired for the Kazu ransomware group’s $60,000 USD demand. The hackers had threatened to “leak everything” if ManageMyHealth refused to pay—400,000+ patient files containing HIV status, mental health diagnoses, reproductive histories, genetic test results, medical photos, and passport details.

The world watched. 126,000 victims waited. Simeon Brown stated that government has a long-standing position that ransoms should not be paid. ManageMyHealth said any ransom demand was “a matter for Police”.

The deadline passed.

According to Otago Daily Times, no further data was leaked.

But this is not a victory. This is a temporary reprieve in an ongoing catastrophe.

Because while the hackers have—for now—held back from releasing more data, three devastating truths have emerged in the days since the breach:

Truth #1: ManageMyHealth was warned repeatedly about security vulnerabilities by white hat hackers and “rumours for some time” circulated about weaknesses—and they ignored every warning.

Truth #2: New Zealand has ZERO penalties for data breaches, while Australia can impose fines up to $50 million AUD—creating an economic incentive structure that rewards negligence.

Truth #3: Seven days after the breach as detailed in ManageMyHealth’s January 5 update, 126,000 victims still have not received direct notification, while Simeon Brown’s “urgent” review won’t even START for 30 days.

This is not a story about a ransom deadline. This is a story about systematic abandonment, regulatory capture, and a Health Minister who cut 1,120 IT experts, ignored warnings of a “ticking time bomb,” and now performs accountability while delaying action for an entire month.

Let me show you the whakapapa of this catastrophe—and name every person responsible.

PART 1: The Bombshell — ManageMyHealth Was Warned Repeatedly (And Ignored Every Warning)

The Deputy Privacy Commissioner’s Admission

On January 5, 2026, as the ransom deadline approached, Deputy Privacy Commissioner Liz MacPherson made a stunning admission in an interview with RNZ:

“As I understand it, there have been rumours for some time“ about security vulnerabilities at ManageMyHealth.

MacPherson continued in the same RNZ interview: “These issues have been drawn to Manage My Health in the past and I think to some media outlets as well.”

Translation: ManageMyHealth knew. They were warned. By white hat hackers. By industry insiders. Possibly by media outlets. And they did nothing.

MacPherson explained the difficulty to RNZ: “There are white knight hackers and others out there who do raise these issues, quite often it’s very difficult to know whether these people are actually hackers themselves or whether they are white knights, so it’s difficult to police.”

But here’s the question, Liz: If it was “difficult to police,” why didn’t your Office investigate? Why didn’t you demand ManageMyHealth prove they’d addressed the warnings? Why did you wait until 126,000 people’s data was stolen to admit there were “rumours for some time”?

This is not hindsight. This is regulatory negligence.

The “Complacency” That Enabled the Breach

MacPherson didn’t stop there. She admitted the Privacy Commissioner’s Office is “irked by widespread complacency” around cybersecurity:

“The frustration for us at the Office of the Privacy Commissioner is that we continue to see complacency from, and this is across the board... a continuation of the ‘it’ll happen to somebody else, not to me’ type approach,” she told RNZ.

Then she asked the most damning question of all, as reported by RNZ:

“And you have to ask the question, is the lack of a penalty regime part of that?“

Yes, Liz. YES. The lack of penalties is EXACTLY why this happened.

And here’s the kicker: You knew this before the breach. You knew companies were complacent. You knew there were no penalties. And you did NOTHING to push for legislative change until AFTER 126,000 people’s data was stolen.

New Zealand Has ZERO Penalties for Data Breaches

MacPherson laid out the stark comparison to Australia in her RNZ interview:

Australia’s OLD penalty regime: $3.3 million AUD
Australia’s NEW penalty regime: Up to $50 million AUD (or 3x financial gain from the breach, or 30% of company turnover)
New Zealand’s penalty regime: ZERO. “We don’t have any penalties, we do not have a civil penalty rating”

Let that sink in.

In Australia, a company that allows 126,000 people’s health records to be stolen could face $50 million in fines.

In New Zealand? Nothing.

ManageMyHealth faces:

No financial penalties
No enforcement action
No mandatory security audits
No consequences whatsoever

The economic incentive structure is crystal clear:

Cost of implementing proper security: Unknown (but likely substantial)
Cost of ignoring security warnings: $0
Cost of refusing a $60,000 ransom: $0
Cost of abandoning 126,000 victims: $0

Rational economic choice: Ignore security, accept breach risk, refuse ransom, face zero consequences.

This is not a bug. It is a feature of New Zealand’s deliberately weak data protection regime.

PART 2: Expert Condemnation — “Somebody’s Dropped the Ball”

Former GCHQ Intelligence Officer: “I Haven’t Seen a Lot of Action”

Antony Grasso, a former intelligence officer who worked at the United Kingdom’s Government Communications Headquarters (GCHQ)—and himself a ManageMyHealth user—was scathing in his assessment to RNZ:

“I haven’t seen a lot of transparency and I haven’t seen a lot of action that I would expect for a company that’s holding that much private information.”

“I don’t feel like they will necessarily have had a good plan for the response,” Grasso told the Otago Daily Times.

“Somebody’s dropped the ball,” he said.

Grasso told RNZ he hoped the security companies used by ManageMyHealth “would be dumped and have nothing to do with it in the future. Because clearly, somebody’s dropped the ball.”

This is a cybersecurity expert from one of the world’s most sophisticated intelligence agencies saying: ManageMyHealth had no plan, no transparency, no action—and somebody needs to be held accountable.

Senior Technical Manager: “I Don’t Know How They’re Going to Come Back From This”

Luke Hogan, a senior technical manager at Intellium, was equally blunt in his interview with RNZ:

“I don’t know how they’re going to come back from this, it’s a bit tough.”

“Basic cyber security has not been taken seriously,” Hogan said.

“Health data is right up there with financial data, some of the most critical data that needs to be protected,” he told RNZ.

“Very, very disappointing and a little bit shocking as an IT professional to hear that this has happened,” he said.

Translation: This breach was preventable. Basic security measures were not implemented. And IT professionals across New Zealand are watching in horror as the country’s largest health portal proves that decades of warnings about cybersecurity complacency were justified.

PART 3: The Hackers Speak — “The Company Doesn’t Care About Their Users’ Data”

Why Kazu Accelerated the Deadline

The Kazu ransomware group, as reported by RNZ, originally set a deadline of January 15. But on January 4, they accelerated it to January 6—giving ManageMyHealth just 48 hours.

Why?

In a Telegram post reported by Te Ao News, Kazu explained:

“Their ignorance of our emails and messages, along with their failure to acknowledge users or explain exactly what happened, is the main issue.”

“Many MMH users have been asking the company for an explanation, but they’ve either ignored them or responded with vague statements,” the group stated.

“The company doesn’t care about their users’ data,” they concluded.

Let that sink in: The CRIMINALS who stole 126,000 people’s health records are calling out ManageMyHealth for ignoring victims and refusing to communicate.

When ransomware hackers are more transparent than the company that was supposed to protect your data, the system has completely failed.

The Business Model of Health Data Extortion

Kazu was explicit about their motivations in their Telegram statement reported by Te Ao News:

“We’re not a hacktivist group with political motives. We’re doing this as a business. Our main goal is money and building a good reputation in the community.”

“We know exactly how valuable health data is and how sensitive it can be,” they said.

“Even if the company doesn’t pay the ransom, we can still find buyers for this data,” the group stated.

The group claimed to have “successfully extracted ransom money from many healthcare companies in Asia and Africa over the last two months,” as reported by the NZ Herald.

They set the ransom at $60,000 USD “to protect the data and quickly close the deal,” according to Te Ao News.

This is the global health data extortion economy in action: Criminals breach poorly-secured systems, steal sensitive data, demand relatively small ransoms, and if companies refuse, sell the data to the highest bidder on the dark web.

And New Zealand—with its ZERO penalty regime—is a soft target.

PART 4: Simeon Brown’s Theatre of Accountability — The 30-Day Delay

“Incredibly Clear Expectations” (With Zero Enforcement)

On January 5, as the ransom deadline approached, Simeon Brown told RNZ:

“I spoke to the CEO last week, made my expectations incredibly clear around the need for Manage My Health to be clear and transparent with its communications to the public and its users and to work closely with agencies and to make sure that they are following their advice.”

“Expectations incredibly clear.”

But what enforcement mechanism did Brown deploy?

None.

What penalty did he threaten?

None.

What accountability measure did he implement?

A review. That won’t START for 30 days.

Brown described the data disappearing as “pretty unacceptable” to RNZ.

“Pretty unacceptable.”

Not “catastrophic.” Not “outrageous.” Not “I’m firing everyone responsible.”

“Pretty unacceptable.”

This is the language of a man performing concern while ensuring nothing changes.

The 30-Day Delay: From Theatre to Abdication

On January 4, Brown announced his masterstroke: a Ministry of Health review into the ManageMyHealth breach.

When will it start?

“No later than January 30,” reported 1News.

Let that timeline sink in:

December 30: Breach discovered
January 1: Brown issues vague statement (“no clinical impact”)
January 4: Brown announces review
January 30: Review to commence (maybe)

31 days minimum before investigators even start examining what went wrong.

Why the delay?

Brown claimed to 1News it was “important that the focus continues to be on the immediate response to the incident and that we do not distract from this response,” as also reported by Indian Weekender.

But what immediate response?

As of January 5, 2026—seven days after the breach—ManageMyHealth announced:

GP practices will “commence” being notified “today” (January 5—six days late)
“Direct patient notification will commence this week” (no specific date)
A “dedicated 0800 helpline will be established for affected patients as soon as possible“ (still not operational seven days later)

There IS no immediate response to protect.

The delay serves one purpose: to let the trail go cold, the outrage dissipate, and accountability evaporate.

The Whakapapa of Brown’s Catastrophic Failure

To understand Brown’s 30-day delay, we must trace the whakapapa of this disaster:

Stage 1: Ideological Cuts Create Vulnerability

In March 2025, RNZ reported that Health NZ proposed to axe 1,120 digital and data roles—47% of its IT workforce.

PSA National Secretary Fleur Fitzsimons warned RNZ: “The risks are too high to play fast and loose with data systems—it’s a ticking time bomb,” also reported by Otago Daily Times.

Brown ignored the warning. The cuts went ahead.

Stage 2: Warnings Are Ignored

White hat hackers warned ManageMyHealth about vulnerabilities
“Rumours for some time” circulated about security weaknesses
Deputy Privacy Commissioner knew but took no enforcement action
No penalty regime existed to compel action

ManageMyHealth ignored every warning. Because there were no consequences for ignoring them.

Stage 3: The Breach Happens (Exactly as Predicted)

December 30, 2025: Kazu ransomware group breaches ManageMyHealth, stealing 428,337 files totaling 108GB—affecting 126,000 people reported by 1News.

PSA responded immediately, reported by RNZ: “The Government blundered when they cut off the jobs of many IT experts safeguarding the public health system,” also covered by NZ Herald.

Stage 4: Abandon Victims (Let Them Learn Via Reddit)

For seven days:

Brown’s contribution? One statement claiming “no clinical impact” reported by RNZ.

Stage 5: Delay Investigation (30 Days of Theatre)

With public outrage building, Brown deploys his final weapon: the delayed review.

Not immediate. Not urgent. 30 days from now.

PART 5: The Hypocrisy — Brown’s “Big Wakeup Call” After Cutting the People Who Could Have Prevented It

Brown told RNZ: “The reality is that here is a big wakeup call in terms of the protection of private health data and their need for that to be held in the most secure form possible so that patients can have confidence in how it is being used,” also reported by RNZ’s political coverage.

But Simeon: who will secure it?

You cut 1,120 IT experts—47% of Health NZ’s digital workforce.

You cancelled cybersecurity upgrades.

You ignored warnings it was “a ticking time bomb” from the PSA.

You presided over Waikato Hospital’s 2021 ransomware attack—and learned nothing.

Now 126,000 people’s most intimate secrets are stolen, and you call it a “wakeup call” while commissioning a review that won’t start for 30 days.

This isn’t a wakeup call, Simeon. It’s a snooze button.

PART 6: What Happened After the Deadline (And What STILL Hasn’t Happened)

The Deadline Passes — No Further Leak (Yet)

At 5:37am on January 6, 2026, as RNZ reported, the ransom deadline expired.

Kazu has not released additional data—yet.

But this is not safety. This is uncertainty.

As former GCHQ officer Antony Grasso told RNZ: “There’s no honour amongst thieves... they may release it anyway.”

The data is on the dark web. Kazu said they “can still find buyers” according to Te Ao News. The threat has not passed. It has simply gone underground.

Seven Days Later: What STILL Hasn’t Happened

As of January 6, 2026—seven full days after the breach—according to ManageMyHealth’s own update, 126,000 victims are STILL waiting for:

❌ Direct notification (ManageMyHealth says “this week” — no specific date)
❌ Functional 24/7 crisis hotline (promised “as soon as possible” — still not operational)
❌ Free credit monitoring (not mentioned)
❌ Mental health support services (not mentioned)
❌ Compensation fund (not mentioned)
❌ Privacy Commissioner enforcement action (none announced)
❌ Health Minister accountability (Brown made “expectations clear” with zero enforcement)
❌ Mandatory notification law (none proposed)
❌ Health IT vendor security audit (none announced)
❌ Restoration of cut IT staff (not mentioned)

What HAS Happened:

✓ High Court injunction (performative—doesn’t stop dark web distribution)
✓ Brown’s “incredibly clear expectations” (empty words with zero enforcement)
✓ ManageMyHealth’s “we could have done better” (non-apology apology)
✓ Delayed review announcement (starts January 30—25+ days late)
✓ Zero penalties (by design)
✓ 126,000 victims abandoned (by policy)

PART 7: The Cui Bono — Who Benefits From Delay, Negligence, and No Penalties?

Who Benefits From No Penalty Regime:

Health IT vendors:
Can be negligent without financial consequences. ManageMyHealth ignored warnings for months/years because there was no cost to ignoring them.

Government:
No pressure to fund proper vendor oversight. Brown can cut 1,120 IT experts and face zero accountability when breaches happen.

Privacy Commissioner:
Can avoid enforcement action. Easier to “support” violators than prosecute them when there are no penalties to impose.

Who Benefits From the 30-Day Review Delay:

ManageMyHealth:

Time to hire lawyers
Time to craft liability-minimizing narratives
Time to coordinate with insurers
Time to prepare defenses against class action lawsuits

Health NZ:

Time to distance themselves from vendor oversight failures
Time to claim they were “working closely” with ManageMyHealth
Time to obscure their role in approving inadequate security standards

Simeon Brown:

Time for public outrage to fade
Time to move news cycles forward
Time to avoid answering hard questions while breach is headline news
Time to claim “we’re investigating” without actually investigating

Privacy Commissioner:

Time to avoid enforcement action
Time to continue “supporting” the breached company instead of protecting citizens
Time to deflect PSA calls for investigation into Health NZ IT cuts

Who Suffers From EVERYTHING:

126,000 victims:

Data stolen
Learned through Reddit (not official channels)
No notification for 7+ days
No crisis support
No credit monitoring
No compensation
No justice
Facing lifetime risk of identity theft, medical fraud, employment discrimination
Completely abandoned by everyone who was supposed to protect them

Public trust in health IT systems:
Shattered.

Future breach victims:
Because no consequences = no deterrent = more breaches.

PART 8: The Moral Clarity — This Is Policy, Not Incompetence

This is not a story about a single breach.

This is a story about a system designed to prioritize corporate profits over patient protection.

Let me show you the pattern:

The Neoliberal Cycle of Manufactured Crisis:

1. Defund public capacity
→ Cut 1,120 IT experts from Health NZ

2. Privatize services
→ Push health records to private vendor (ManageMyHealth)

3. Remove accountability
→ Create zero-penalty regime for data breaches

4. Ignore warnings
→ White hat hackers warn of vulnerabilities, “rumours for some time” circulate

5. Breach happens (exactly as predicted)
→ 126,000 people’s data stolen

6. Minimize and delay
→ Brown: “no clinical impact”, review starts in 30 days

7. Abandon victims
→ Learn through Reddit, no support, no compensation, no justice

8. Commission delayed review
→ Bland report months later, “lessons learned”, no accountability

9. Return to Step 1
→ Next breach, repeat cycle

This is not incompetence. This is the system working exactly as designed.

PART 9: What Must Happen NOW (Not in 30 Days)

Immediate Actions (Within 24 Hours):

For ManageMyHealth:
✅ Send direct notification to ALL 126,000 affected individuals (email + text + postal mail)
✅ Establish functional 24/7 crisis hotline
✅ Provide free 3-year credit monitoring for all affected users
✅ Create compensation fund for identity theft victims

For Simeon Brown:
✅ Accelerate review to start IMMEDIATELY (not January 30)
✅ Release full terms of reference publicly
✅ Commit to restoring 1,120 cut IT positions
✅ Fund immediate crisis support for 126,000 victims
✅ Take personal responsibility or resign

For Privacy Commissioner:
✅ Launch enforcement investigation into ManageMyHealth (Privacy Act violations)
✅ Investigate Health NZ vendor oversight failures
✅ Investigate impact of IT staff cuts on data security (as PSA requested)
✅ Stop “supporting” violators—START protecting citizens
✅ Publicly advocate for civil penalty regime

Legislative Changes (Within 30 Days):

✅ Mandatory 24-hour breach notification law (enforceable with penalties)
✅ Civil penalty regime (up to $50 million, modeled on Australia)
✅ Health IT Vendor Security Standards (mandatory audits before contract renewal)
✅ Ministerial accountability standards (Brown must answer for vendor oversight failures)
✅ Privacy Commissioner independence (enforcement over “support”)

Systemic Changes (Within 90 Days):

✅ Restore Health NZ IT workforce (rehire the 1,120 experts Brown cut)
✅ Mandatory security audits for all health IT vendors
✅ Public breach registry (transparency on all health data breaches)
✅ Victim compensation scheme (funded by penalties on negligent companies)
✅ Independent cybersecurity oversight body (with enforcement powers)

The Choice Before Us

Seven days ago, 126,000 New Zealanders’ most intimate health records were stolen.

They learned about it through Reddit.

Their GPs learned through news reports.

The Health Minister said “no clinical impact” and announced a review that won’t start for 30 days.

The Privacy Commissioner admitted ManageMyHealth was warned repeatedly—and that New Zealand has ZERO penalties for data breaches.

The hackers accused ManageMyHealth of “not caring about their users’ data” according to Te Ao News.

And cybersecurity experts from GCHQ and Intellium said “somebody’s dropped the ball” and “basic cyber security has not been taken seriously”.

The ransom deadline has passed. But the crisis continues.

126,000 people are still waiting for notification. For support. For justice.

Simeon Brown is still performing accountability while delaying action.

The Privacy Commissioner is still “supporting” violators instead of protecting citizens.

And ManageMyHealth is still operating with ZERO penalties, ZERO consequences, and ZERO accountability.

We can accept this.

We can let Brown’s 30-day delay become 60 days, 90 days, a forgotten crisis.

We can let 126,000 victims remain abandoned.

We can let the neoliberal cycle continue: defund → privatize → breach → delay → repeat.

Or we can demand accountability.

We can name names. We can trace whakapapa. We can expose the pattern.

We can fight for immediate action, real consequences, systemic change, and justice for 126,000 victims.

The choice is ours.

Kia kaha, whānau. This is our fight. And we will not stop until every one of the 126,000 abandoned New Zealanders gets the notification, support, compensation, and accountability they deserve.

Not in 30 days. NOW.

Ivor Jones The Māori Green Lantern Fighting Misinformation And Disinformation From The Far Right

Research for this essay: 80+ sources verified. Every timeline confirmed. Every quote checked. Every URL tested. Ransom deadline: documented. Regulatory negligence: exposed. 30-day delay: named. No mercy.

"THE SULU AND THE SWORD: How Christopher Luxon Wore Our Pacific Family's Dignity Like a Costume While His Budget Burned Their Villages to the Waterline" - 23 March 2026

"HE PĀTIKI KEI RARO I TE REPO — The Flounder in the Mud: How Damien Grant's Selective Conscience Exposes the Rotting Heart of Pākehā Media Power" - 22 March 2026

"THE CROWN'S DIGITAL TOHU: How a Rogue Neoliberal Government Sold the Whakapapa of a Nation to the Highest Unvetted Bidder" - 22 March 2026

"THE TONGUE THAT FEEDS THE BEAST: How a Neoliberal Vichy Government Handed Aotearoa's Mana to a War Machine Built on Lies - And Joe Kent Broke Them" - 22 March 2025