Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Independent Inquiry into Manage My Health breach will ask the hard questions

The Privacy Commissioner today published the terms of reference for his independent inquiry into the Manage My Health cyber incident.

“An Inquiry is the tool I use to investigate significant public interest privacy issues as it gives me the power to summon witnesses and require information from any organisation or individual that I consider would be relevant,” Privacy Commissioner Michael Webster said.

“As the independent privacy regulator, my Office will be asking the hard questions, not only on behalf of those whose personal health information has been stolen, but for all New Zealanders who need to be able trust that our health information systems are safe and secure.

“The Manage My Health cyber incident has caused New Zealanders to question just how private and secure their sensitive health information really is - particularly in a world of increasing cyber threats and greater use of new technologies.  

“Digital health innovations, like portals, can give people greater visibility and ownership over their health information and provide faster, easier access to important health services. But this cannot be at the expense of privacy and security. For people to trust and benefit from digital health solutions, innovation and data protection must go hand in hand.

“New Zealanders rightly expect any agency collecting, storing, using or sharing their sensitive health information to maintain high standards of privacy and data protection. Even the thought that their health information might become known can be truly devasting for people. This Inquiry will help determine whether reasonable steps were taken to ensure this sensitive information was appropriately safeguarded and what can be done to improve safeguards in the future,” the Commissioner said.

The Inquiry’s Terms of Reference were published today on our website and include:

  • the context for and causes of the cyber security breach, including the adequacy of the security safeguards in place,
  • the scale of the incident, patient information affected and people’s experience of the breach,
  • the relevant policy, contractual, and governance arrangements in place between the different organisations involved, including MMH, Health NZ – Te Whatu Ora, primary care providers, Primary Health Organisations and other health sector agencies,
  • whether relevant policies and processes were complied with, and
  • whether the Privacy Act framework has been complied with, including the Health Information Privacy Code 2020.

The Inquiry will be done in two phases, with the first phase looking into the respective responsibilities of MMH and users of its portal, and the adequacy of security safeguards that were in place at the time of the security breach. We aim to complete this phase by 30 April 2026.

“The findings of this phase will inform any specific advisory or compliance response by my Office, including any investigation of complaints made by individuals who may have suffered harm from the breach. The scope and timing of phase two will be confirmed following the completion of phase one”.

While the Inquiry will focus on the MMH breach, there are likely to be lessons for all agencies that manage health information and recommendations for agency, sector and system improvements.

The Privacy Commissioner Inquiry is independent from any other review or investigation into the MMH cyber breach but can require the provision of information from these reviews that is relevant to his lines of inquiry.

It’s especially significant that our Inquiry start today as its International Data Protection Day, which aims to raise awareness of the need to respect and protect individuals’ privacy, the Commissioner said.

About the Inquiry

The Inquiry into the cyber security breach affecting patient data within the patient portal provided by Manage My Health Limited is under section 17(1)(i) of the Privacy Act. 

Read the Terms of Reference (PDF, 375KB).

Matters in scope of the Inquiry

The Inquiry is to investigate, make findings and report on:

  • The context for and causes of the cyber security breach.
  • The scale of the incident and patient information affected.
  • People’s experience of the breach, including whether any communities have been disproportionately affected by the security breach.
  • The adequacy of the security safeguards in place at the time of the cyber security breach.
  • The relevant policy, contractual, and governance arrangements in place at the time of the breach between Manage My Health Limited (MMH), Health NZ – Te Whatu Ora (HNZ), primary care providers, Primary Health Organisations and other health sector agencies.
  • Whether relevant policies and processes were complied with.
  • Whether the Privacy Act framework has been complied with, including the Health Information Privacy Code 2020.

The Inquiry may also comment and make any relevant recommendations or findings as appropriate on any associated matters, including:

  • The adequacy of the breach response to affected individuals and the Privacy Commissioner.
  • The security and governance framework for the protection of sensitive patient information within patient portals.
  • Transparency and awareness of patients about the handling and retention of their information on the MMH portal.
  • Policies and processes concerning the retention of patient information on the MMH portal.
  • Other matters relating to the storage and security of health information and personal information within the health sector.

Matters out of scope of the Inquiry

  • The responses of government agencies not within the scope of the Inquiry, the National Cyber Security Centre or the Police to the cyber breach, including the handling of the ransom demand and criminal matters. 

Inquiry phases

Phase one of the Inquiry will focus on, but is not limited to:

  • Understanding the full scale of the incident, including the type of personal information and the number of individuals impacted.
  • Identifying the agencies impacted by the breach and the nature of the contractual relationship those agencies have with MMH.
  • The security safeguards in place and the respective responsibilities of MMH, HNZ and users of the MMH portal for the security of patient information held within the portal.

The scope of phase two will be confirmed following completion of phase one. The Commissioner’s findings through phase one of the Inquiry will inform the relevant complaints, investigation and advisory functions that are part of OPC’s response to concerns relating to the breach.

The timing of the second phase will be confirmed after the completion of phase one.

Read more information on our Manage My Health Inquiry focus areas page.

Back to top