Lesson Content

LESSON 1.1 - Anatomy of the Manage My Health Phishing Incident In late 2025, the New Zealand-based healthcare technology company Manage My Health experienced a significant cybersecurity incident that exposed sensitive medical data for over 120,000 patients. While the initial attack vector was reported as a phishing incident, further analysis reveals a more complex, multi-stage operation carried out by a sophisticated threat actor group. The incident timeline began with a targeted phishing campaign against Manage My Health employees. Leveraging open-source intelligence and previous breach data, the attackers crafted highly convincing emails impersonating trusted vendors or customer service representatives. These messages contained malicious links or attachments designed to harvest user credentials, granting the threat actors initial access to the Manage My Health network. Once inside the network, the attackers moved quickly to escalate their privileges and pivot to sensitive data repositories. By exploiting an access control vulnerability in the Health Documents module, they were able to exfiltrate over 400,000 medical records belonging to approximately 120,000-127,000 patients. This trove of sensitive information included specialist referrals, hospital discharge summaries, laboratory results, and clinical correspondence dating back several years. The attackers then attempted to extort Manage My Health, demanding a US$60,000 ransom payment in exchange for not publishing the stolen data. When the company refused to pay, the threat actors began threatening to release the sensitive patient information, prompting Manage My Health to obtain urgent High Court injunctions to prevent dissemination. The incident response and investigation revealed several key factors that enabled the attack. First, Manage My Health's authentication controls were inadequate, allowing the attackers to gain access with stolen credentials. Additionally, the company's network architecture lacked proper segmentation, allowing the adversaries to move laterally and access the vulnerable Health Documents module. Further analysis showed that the phishing campaign employed advanced social engineering tactics, including the use of AI-generated content to craft highly convincing messages. The attackers also leveraged legitimate third-party services and platforms to host phishing pages, evading detection by email security controls. Beyond the immediate financial and operational impacts, the Manage My Health breach resulted in significant reputational damage. Public statements by the CEO were perceived as downplaying the security failures, further eroding trust in the company's ability to safeguard sensitive patient data. The incident also prompted a formal investigation by the New Zealand Privacy Commissioner, examining whether Manage My Health had maintained adequate security measures as required by law. The Manage My Health breach serves as a sobering example of the evolving threat landscape in the healthcare sector, where phishing has become a dominant attack vector. Threat actors are increasingly employing sophisticated, targeted tactics to bypass traditional security controls and gain access to valuable medical information. As this incident demonstrates, a layered approach to security, including robust access management, network segmentation, and comprehensive user awareness training, is essential for healthcare organizations to mitigate the risks of such attacks.

Assessment Questions

Question 1

What was the initial attack vector used by the threat actors to gain access to the Manage My Health network?

1. A: SQL injection vulnerability in the patient portal
2. B: Malware delivered through a software update
3. C: Targeted phishing emails against Manage My Health employees
4. D: Brute-force attacks against administrative accounts

Question 2

What type of sensitive information was exposed in the Manage My Health data breach?

1. A: Financial records and payment card data
2. B: Personally identifiable information (PII) of employees
3. C: Specialized medical records and clinical correspondence
4. D: Prescription drug information and treatment plans

Question 3

Which security control weakness enabled the attackers to move laterally within the Manage My Health network and access the vulnerable Health Documents module?

1. A: Lack of multi-factor authentication (MFA)
2. B: Inadequate network segmentation and access controls
3. C: Unpatched software vulnerabilities in the patient portal
4. D: Insufficient logging and monitoring capabilities

Question 4

What type of social engineering tactics did the threat actors employ in the Manage My Health phishing campaign?

1. A: Exploiting COVID-19 fears and vaccine misinformation
2. B: Impersonating trusted vendors and customer support representatives
3. C: Leveraging personal information from previous data breaches
4. D: All of the above

Question 5

What was the primary motivation behind the Manage My Health data breach?

1. A: Hacktivism and ideological motivations
2. B: Theft of intellectual property and trade secrets
3. C: Financial extortion through a ransomware demand
4. D: Disruption of healthcare services and operations