Although it sounds almost unbelievable, according to a statement from Manage My Health the cyberattack occurred on December 30, 2025. The platform says it was immediately secured and unauthorized access was cut off. Final estimates indicate that data belonging to approximately 108,000 to 126,000 people were compromised—equivalent to about 6–7% of all users. The portal, used by both patients and general practitioners, stores, among other things, health-related documents.
Health Minister Simeon Brown announced on January 5, 2026, that his ministry had commissioned a formal review of the incident to determine how the breach occurred, which protective mechanisms failed, and what steps should be taken to prevent similar incidents in the future. The review is set to begin no later than January 30, 2026, and will be conducted in cooperation with the National Cyber Security Centre, the Government Chief Digital Officer, and other agencies.
Minister Brown emphasized that medical data are among the most sensitive types of information about citizens and must be protected “to the highest standards,” regardless of whether they are held by public or private entities. He added that the government intends to draw lessons from the incident to prevent similar attacks going forward.
According to statements from the portal’s operator, the breach primarily affected the “Health Documents” module—the part of the system that stores patients’ documents. The company has not found evidence so far of access to the entire database, user authentication data, or any alteration or destruction of data. However, it acknowledged that hackers may have gained access to selected patient documents. Early attempts to publish sample data suggested that these included detailed medical information.
During the attack, cybercriminals reportedly demanded a ransom of around USD 60,000, threatening to release the database if payment was not made, as highlighted by local media and incident analyses. Some of the stolen materials began appearing online before later being removed or hidden. Manage My Health also obtained a temporary High Court injunction intended to prevent further dissemination of the compromised data.
Manage My Health has now begun notifying general practitioners whose patients may have been affected and plans to contact individual users directly, in line with privacy-protection regulations. At the same time, analyses and consultations are underway to improve communication and support for users who may need information or assistance related to the breach. It remains unclear which vulnerability enabled the attack or how the data were obtained.
