Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

A woman in a light, brown top stands with her hands pressed together. She is talking and has a moko and dark hair pulled back. She is in front of a red wall. Privacy Commissioner Michael Webster has today released the results of Phase 1 of his Inquiry into the December 2025 Manage My Health cyber incident in which the sensitive health information of New Zealanders was accessed, stolen and put up for sale. Phase 1 has focussed on what caused the breach and who was accountable. 

New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection. The Inquiry has found both Manage My Health and Health NZ failed in their responsibilities to have reasonable security safeguards in place to protect patient information, meaning they breached Rule 5 of the Health Information Privacy Code, relating to the storage and security of information

“My inquiry has found that there were several problems with how patient information was managed. This incident released the sensitive health information of nearly 100,000 New Zealanders and has caused serious anxiety and distress for many people.

The effects are concentrated in Northland with around 91 percent of affected patients based there, many of whom are likely to be Māori.” 

“The reason so many Northland patients were caught up in the breach was because of a unique arrangement between Health NZ and Manage My Health in Northland involving hospital discharge information – it was not happening in hospitals in the rest of the country. 

Given the Inquiry’s finding, the Privacy Commissioner intends to issue compliance notices to Manage My Health and Health NZ. “Compliance notices are the strongest tool I have currently have available to me to respond to serious privacy breaches”, Mr Webster said.

“While both Manage My Health and Health NZ have already made changes to their security settings, compliance notices will formally require both of them to complete any necessary remaining work and demonstrate to my satisfaction that all changes are working effectively. 

“In particular, several of Manage My Health’s technical security safeguards were inadequate at the time the breach occurred. We recognise that Manage My Health has made several important changes, but we want to independently check what has been done and that the changes provide effective protection against similar types of attacks in future. 

“Also, we consider that Health NZ should have done more to make sure that Northland hospital patients’ information would be safe before arranging to send it to patients through the Manage My Health portal. This was a novel digital project involving transfers of large amounts of health information. Health NZ’s structure and processes are different now and it has made many improvements.” 

While the inquiry has focused on the Manage My Health breach, it is important for other health agencies, including other third-party providers, to look at the findings and ask themselves what they need to do to make sure the same thing couldn’t happen to them. 

“Digital innovation can unlock greater efficiencies and effectiveness in service delivery. Patient health portals are an important part of the health sector and can improve privacy by enabling people to access their own information easily. But it’s important to make sure the portals are as safe as possible. Patients need to be able to trust that their sensitive health information is being protected. Lessons need to be learnt across the health sector to stop these types of breaches from happening again,” says the Commissioner.

In particular, the report recommends that the Ministry of Health should set up a process for verifying and assuring that patient health portals such as Manage My Health meet health sector security standards. It is not practicable for every user, such as individual GP practices, to do their own separate security testing or assurance. Instead, providers should be checked and approved at a central level.

The inquiry also recommends that the Privacy Act be amended to allow third party providers who do not meet reasonable security safeguards to be held liable, even where they are collecting, storing or processing on behalf of another agency. “Third parties are increasingly playing a key role in the sharing, processing and storage of personal data. As such they are a target for malicious actors. It is critical they too are incentivised to put in place safeguards”.

Key Inquiry Findings – Manage My Health

The cybersecurity breach was not the result of a single security failure, but was due to a combination of problems, including:

  • Manage My Health had several key gaps in security that allowed the attack to happen.
  • It failed to have systems in place that would detect that large amounts of information were being accessed, so that steps could be taken to interrupt the hacker before so much information was stolen.

The inquiry also raised questions about the quality of Manage My Health’s overall approach to security design, as well as the quality of its risk management practices. 

Key Inquiry Findings – Health NZ

Most of the information that was stolen from Manage My Health was information sourced from hospitals in Northland. Health NZ should have taken more steps to make sure that it was safe to pass on the information to patients through MMH. Key points were:

  • The project team that engaged with MMH did not include specialist privacy and security personnel, which was needed for a project of this type, scale and novelty.
  • There was over-reliance on information from Manage My Health about the security and privacy of the health portal as opposed to doing independent checks.
  • Poor quality internal privacy risk assessments meant that the project designers and decision makers were not sufficiently well informed about what was needed to share hospital information safely through the portal.
  • The contract between Health NZ and Manage My Health was not fit for purpose. It was generic rather than being designed to reflect how the information sharing would work and what was necessary to protect the information. 

Key Inquiry Findings – GP practices

There is nothing that GP practices could have done to have prevented this breach and they were not the source of the information that was stolen. GP practices are therefore not liable for security failings that caused this particular breach. 

However, if another area of the portal had been affected, it could have been otherwise. So, the inquiry report sets out reasonable security safeguards that the Office of the Privacy Commissioner expects all GP practices to have in place when using patient portals. Even if their patients haven’t been affected by the breach, it is important for all GP practices to review these findings to ensure that they can be confident that they’ve taken adequate steps to protect patient information. 

The second phase of the Inquiry, which is to commence soon, is also likely to look into further questions about GP’s obligations when using patient health portals including what patients are told and how authorisation is obtained to set up accounts. 

Lessons for the health sector

The Inquiry includes lessons for how the health sector manages personal information; including:

  • We strongly recommend that all patient health portal providers, and all health agencies that engage with them, consider the findings carefully and review their own practices to make sure that they are meeting the expectations that we have set out.
  • We expect agencies to take a systemic approach – ensuring they have access to skilled people, secure technical systems, appropriate policies and processes, an ability to detect if things go wrong, and sound governance.
  • NCSC and Health Information Security Framework standards are useful indications of what is likely to be required under Rule 5 of the Health Information Privacy Code.
  • Privacy needs to be built in from the start and be part of system design – not an afterthought or a check-box exercise.
  • Over-reliance on a vendor’s information about its security and privacy risk profile can be problematic – a degree of independent assessment is essential.
  • Privacy is not a ‘set and forget’ exercise, particularly in innovative and dynamic environments such as health services – review settings from time to time and ensure that controls are still in place and operating effectively

Next steps

The Inquiry into the Manage My Health cyber incident is being done in two phases. Phase 1 of the Inquiry has focussed on causes and accountability. Phase 2 will focus on the impacts of the breach. This report completes Phase 1. OPC is now able to begin considering privacy complaints from people affected by the breach. 

The scope and timing of Phase 2 will be announced shortly but is likely to include:

  • Whether patients were properly asked for authorisation before a MMH account was established for them and information was stored in that account.
  • Whether patients received adequate information about how the portal would be used.
  • Retention and deletion of information within the portal:
  • The quality of communications about the breach.
  • Whether the notifications to OPC and to affected patients complied with the Privacy Act.
  • Whether the breach caused a disproportionate impact on any group, particularly Northland Māori, and the nature of these impacts.

Phase 2 will gather information to assess the impacts of the breach, including meetings with affected health providers in Northland. Phase 2 may result in further compliance action where it is demonstrated that breaches of the Privacy Act have occurred.

Back to top