Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Privacy Commissioner Inquiry into Manage My Health breach

Updated on Wednesday 28 January, 2026.

The Privacy Commissioner announced on 21 January that he will be conducting an Inquiry into the cyber security breach affecting Manage My Health Limited.

An Inquiry, under section 17(1)(i) of the Privacy Act, is the Privacy Commissioner’s usual mode of investigating public interest privacy issues.

“Given the scale of the incident, the sensitivity of the information and some of the systemic issues being identified, it’s clear to me we need to investigate the privacy issues involved”.

“New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection. Our Inquiry will help determine whether appropriate security safeguards were in place and if not, why not. We will also look at what steps will be taken to prevent such an incident happening again,” said Mr Webster.

Inquiry Terms of Reference 

The Privacy Commissioner has published the terms of reference for his independent inquiry into the Manage My Health cyber incident. The Inquiry is under section 17(1)(i) of the Privacy Act.

The Inquiry’s Terms of Reference were published today on our website and include:

  • the context for and causes of the cyber security breach, including the adequacy of the security safeguards in place,
  • the scale of the incident, patient information affected and people’s experience of the breach,
  • the relevant policy, contractual, and governance arrangements in place between the different organisations involved, including MMH, Health NZ – Te Whatu Ora, primary care providers, Primary Health Organisations and other health sector agencies,
  • whether relevant policies and processes were complied with, and
  • whether the Privacy Act framework has been complied with, including the Health Information Privacy Code 2020.

The Inquiry will be done in two phases, with the first phase looking into the respective responsibilities of MMH and users of its portal, and the adequacy of security safeguards that were in place at the time of the security breach. We aim to complete this phase by 30 April 2026.

The findings of this phase will inform any specific advisory or compliance response by my Office, including any investigation of complaints made by individuals who may have suffered harm from the breach. The scope and timing of phase two will be confirmed following the completion of phase one.

While the Inquiry will focus on the MMH breach, there are likely to be lessons for all agencies that manage health information and recommendations for agency, sector and system improvements.

The Privacy Commissioner Inquiry is independent from any other review or investigation into the MMH cyber breach but can require the provision of information from these reviews that is relevant to his lines of inquiry.

Back to top