MediMap said on Wednesday it was seeking an urgent court injunction after an apparent data breach. Photo: Screenshot
The person claiming responsibility for the MediMap breach has indicated the security threat has ended, but key questions about what was accessed and how the breach occurred remain unanswered. Paula Penfold reports.
The person who has taken responsibility for the MediMap breach claims to have permanently deleted all data taken from the company.
The breach, which was identified on Sunday, has kept services offline at the digital medication management platform, forcing health providers to revert to paper-based systems for prescriptions.
Yesterday, MediMap sought an urgent injunction to prohibit anyone from accessing, using, copying, sharing, or publishing any unlawfully obtained data.
The move came hours after Stuff alerted the company to the fact that a person claiming responsibility for the data breach had contacted Stuff and other newsrooms.
The person provided a small sample of what appeared to be sensitive patient information.
In a new email to Stuff, the apparent hacker said they had decided to withdraw their statements, and had “permanently deleted all data on my end”.
Stuff is unable to independently verify the authenticity of the person or data, or the claim that data has been deleted. However, there is no apparent evidence it has been publicly released beyond its circulation to media organisations.
While the names of politicians including ACT leader and deputy prime minister David Seymour were used in hack communications, the person claiming responsibility said the breach was “not politically nor financially motivated”.
They did not specify a reason.
“Goodbye for now, we are Charlie Kirk,” they said, an apparent reference to the fact that some patients’ names in MediMap files had been changed to “Charlie Kirk”, the US conservative activist shot dead in September 2025.
Other patients had been marked as deceased, when they were not.
In earlier statements to the media, the apparent hacker claimed they would release additional material publicly if their demands were not met. Stuff is not publishing those demands.
Stuff has sought MediMap’s response to the claim the statements have been withdrawn and the data deleted.
Stuff has also sought clarification on how many patients and health providers have been impacted in the data breach, and how long it will take to restore services.
Royal New Zealand College of GPs President Dr Luke Bradford said the main risk of the platform being offline was transferring back to paper-based systems.
“There are always errors when you transfer from one system to another, especially at haste.”
How did the hack happen?
In media interviews, MediMap director Geoffrey Sayer said he had “no reason to believe this was a cyber attack”.
“Unfortunately this is a case of someone stealing credentials and using those credentials of a legitimate user of MediMap to cause this harm.”
Adam Burns of cybersecurity firm Blackveil said that would still constitute a cyber attack.
“If it was stolen credentials then the attack vector is what I keep saying, weak domain/dns/email authentication which allows brand impersonation and phishing attacks,” he said.
The CEO of SSS Cybersecurity, Luke Taylor, said MediMap’s position was “like saying your house wasn’t burgled because the intruder used a copied key instead of breaking a window”.
“Credential-based attacks aren’t a lesser category of cybercrime. They are cybercrime.”
Grey Power New Zealand said the breach had shaken confidence among older people who rely on digital health platforms for medication management and care coordination.
National president Gayle Chambers said older New Zealanders should not have to worry about the accuracy or security of their health records.
The organisation called for stronger cyber security safeguards across the health sector.
The MediMap breach comes just weeks after another digital health platform, Manage My Health, was hacked.
A government review of that breach is expected to report back at the end of April.