Three health cyber breaches in three months reveals 'feeding frenzy' pattern

NEWS - eHealthNews.nz editor Rebecca McBeth

Three high-profile health data breaches within three months have exposed what a cybersecurity expert describes as a "feeding frenzy" pattern, where attackers target sectors with demonstrated weak defences and minimal consequences.

The latest incident at IntraCare, an Auckland-based private healthcare provider, comes after breaches at Manage My Health and MediMap, following what Altersec chief executive Faustin Roman describes as a predictable pattern rather than coincidence.

"New Zealand health providers are genuinely under greater attack: one high-profile breach absolutely leads to more," he says.

In the latest case, IntraCare took its patient management system, Picture Archiving and Communication System (PACS), and finance systems offline after detecting unusual activity within its IT environment on 20 March 2026.

“We have confirmed the incident involved unauthorised access to parts of our network,” a spokesperson says. 

“We are working to establish exactly how this occurred and are already implementing additional safeguards and monitoring to further strengthen our systems.”

Roman says healthcare data represents the most valuable commodity on the dark web, with a single health record worth far more than a stolen credit card because it contains identity details, NHI numbers, and clinical history that cannot be cancelled like financial cards.

“In cybersecurity, we see a clear "feeding frenzy" pattern: once an attacker publicly compromises a sector and demonstrates that defences are weak and consequences are minimal, the broader criminal ecosystem takes notice,'" he says.

"The MMH breach effectively put a spotlight on New Zealand's health tech sector and potentially signalled 'this is soft. 

"Threat actors share this intelligence. They target the same vertical, in the same country, because the conditions that allowed the first breach - legacy platforms, voluntary security standards, a $10,000 privacy penalty cap – have not changed overnight."

The interconnected nature of health systems to enable data sharing may also allow attackers to move from one system to another, says Roman.

The timing of these breaches also aligns with known vulnerability windows, particularly the December-January holiday period when organisations operate with skeleton IT crews and reduced monitoring.

The ManageMyHealth breach was detected on 30 December, MediMap in February and IntraCare in March. 

“Attackers who gain access during the holiday period may not be discovered until staff return and systems are properly reviewed," he says.

The National Cyber Security Centre's Q4 2025 Cyber Security Insights report shows the threat landscape was already intensifying before these breaches, with website compromise incidents up 16 per cent, denial of service attacks doubling, and 23 per cent of nationally significant incidents attributed to state-sponsored actors.

Roman says New Zealand's approach to healthcare cybersecurity remains immature compared to other jurisdictions with no mandatory audit regimes and meaningful penalties.

He described the Privacy Act's maximum fine of $10,000 as "laughable" compared to Australia's privacy legislation or Europe's GDPR.

IntraCare, which treats more than 2,000 patients annually, says it activated its incident response plan after detecting the breach and engaged Cyber CX, a leading Australasian cybersecurity organisation, to conduct a forensic investigation.

The provider maintained patient care by reverting to manual processes, but the breach did impact some scheduled procedures with 28 patients temporarily deferred.

“We recommenced procedures on Monday 30 March. Our focus has been on ensuring systems are fully tested and resilient before bringing them back online,” the spokesperson says.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page