Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Focus areas

Print | Email this page

Manage My Health Inquiry

The Inquiry into the cyber security breach affecting patient data within the patient portal provided by Manage My Health Limited is under section 17(1)(i) of the Privacy Act. 

Read the Terms of Reference (PDF, 375KB.

Matters in scope of the Inquiry

The Inquiry is to investigate, make findings and report on:

  • The context for and causes of the cyber security breach.
  • The scale of the incident and patient information affected.
  • People’s experience of the breach, including whether any communities have been disproportionately affected by the security breach.
  • The adequacy of the security safeguards in place at the time of the cyber security breach.
  • The relevant policy, contractual, and governance arrangements in place at the time of the breach between Manage My Health Limited (MMH), Health NZ – Te Whatu Ora (HNZ), primary care providers, Primary Health Organisations and other health sector agencies.
  • Whether relevant policies and processes were complied with.
  • Whether the Privacy Act framework has been complied with, including the Health Information Privacy Code 2020.

The Inquiry may also comment and make any relevant recommendations or findings as appropriate on any associated matters, including:

  • The adequacy of the breach response to affected individuals and the Privacy Commissioner.
  • The security and governance framework for the protection of sensitive patient information within patient portals.
  • Transparency and awareness of patients about the handling and retention of their information on the MMH portal.
  • Policies and processes concerning the retention of patient information on the MMH portal.
  • Other matters relating to the storage and security of health information and personal information within the health sector.

Matters out of scope of the Inquiry

  • The responses of government agencies not within the scope of the Inquiry, the National Cyber Security Centre or the Police to the cyber breach, including the handling of the ransom demand and criminal matters. 

Inquiry phases

Phase one of the Inquiry will focus on, but is not limited to:

  • Understanding the full scale of the incident, including the type of personal information and the number of individuals impacted.
  • Identifying the agencies impacted by the breach and the nature of the contractual relationship those agencies have with MMH.
  • The security safeguards in place and the respective responsibilities of MMH, HNZ and users of the MMH portal for the security of patient information held within the portal.

The scope of phase two will be confirmed following completion of phase one. The Commissioner’s findings through phase one of the Inquiry will inform the relevant complaints, investigation and advisory functions that are part of OPC’s response to concerns relating to the breach.

The timing of the second phase will be confirmed after the completion of phase one.

More information about the Manage My Health cyber incident:

Back to top