Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Updated statement on Manage My Health cyber incident

This statement was updated on Wednesday 21 January 2026.

The Privacy Commissioner has announced today that he will be conducting an Inquiry into the cyber security breach affecting Manage My Health Limited.

We are currently consulting with relevant parties on draft Terms of Reference as required by our legislation and expect to publish these details on 28 January. 

Our Inquiry will help determine whether appropriate security safeguards were in place and if not, why not. We will also look at what steps will be taken to prevent such an incident happening again. 

Background

We were notified on 1 January by Manage My Health (MMH) of a serious cyber security breach of its platform. We have been working with them and other relevant agencies as they contain and investigate the size and scope of the breach and identify and notify affected health agencies and individuals.   

New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection. Failure to take all reasonable steps to ensure the security of personal information against loss, misuse or disclosure is a breach of the Privacy Act. 

We expect Manage My Health and any other relevant health agencies to be able to demonstrate to the Privacy Commissioner, as the privacy regulator, that they had appropriate security safeguards in place, if not, why not, and what steps will be taken to prevent such an incident happening again.  

We also expect them to demonstrate that they have taken appropriate steps to mitigate and respond to any harm caused to affected individuals. Failure to have taken reasonable steps to prevent a breach from occurring can result in compliance action, including directing the agencies concerned to take steps to improve their systems and processes.

It's still early in the incident response process and our current focus is to support MMH and relevant health agencies in their response to the breach and notifying and supporting affected parties. 

Our next step is assessing the further responsive action we need to take as the regulator under the Privacy Act. Given the scale of the incident, the sensitivity of the personal and health information affected and systemic issues being identified, it is likely that the Privacy Commissioner may decide an investigation is warranted, depending on further information being provided by MMH.

If so, this would likely include consideration of the root cause of the breach, MMH’s breach response, and whether all reasonable steps were taken to ensure the personal information was appropriately safeguarded. This could also include issues about the retention of health information on the platform and any broader issues around how sensitive personal health information is managed and shared within the health system. 

Our Compliance and Regulatory Action Framework sets out the way in which our office intends to approach its regulatory and compliance activities.

Information for General Practices and health agencies affected by the breach

The Privacy Commissioner has issued a public advisory notice to all primary health providers affected by this breach.

In this case, given the scale of the incident, Manage My Health has notified OPC about the security breach and is providing OPC with information about the health agencies and practices affected. This means that individual practices do not also need to notify OPC. Primary care providers will be contacted directly as further information is required.

Everyone in New Zealand has privacy rights. Read about your privacy rights.

The Privacy Act places responsibility on organisations that collect, use or store your personal information to keep it safe and secure using all reasonable steps. Failure to take reasonable steps to protect your personal information against unauthorised access is a breach of the Privacy Act.  If you experience actual or potential privacy harm because of this, you can make a complaint under the Privacy Act. 

Information for people impacted 

Read our dedicated page about how to find out if you're impacted, how to secure your personal information, and how to make a privacy complaint. 

What to do if you see or come across information that has been breached

NOTE – there are legal restrictions on accessing the affected information due to the court injunction that is in place.

As with any cybersecurity breach it’s important that should people receive or find information related to this issue, that they do the right thing and don’t spread it by sharing it further, they should also report it to the New Zealand Police.

Further updates

We will update this statement as the situation progresses. 

Back to top