Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Updated statement on Manage My Health cyber incident

This statement was updated on Wednesday 28 January 2026.

The Privacy Commissioner announced on 21 January that he will be conducting an Inquiry into the cyber security breach affecting Manage My Health Limited.

The terms of reference for his independent Inquiry were published today. The Inquiry is under section 17(1)(i) of the Privacy Act.

Background

We were notified on 1 January by Manage My Health (MMH) of a serious cyber security breach of its platform. We have been working with them and other relevant agencies as they contain and investigate the size and scope of the breach and identify and notify affected health agencies and individuals.   

New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection. Failure to take all reasonable steps to ensure the security of personal information against loss, misuse or disclosure is a breach of the Privacy Act. 

We expect Manage My Health and any other relevant health agencies to be able to demonstrate to the Privacy Commissioner, as the privacy regulator, that they had appropriate security safeguards in place, if not, why not, and what steps will be taken to prevent such an incident happening again.  

We also expect them to demonstrate that they have taken appropriate steps to mitigate and respond to any harm caused to affected individuals. Failure to have taken reasonable steps to prevent a breach from occurring can result in compliance action, including directing the agencies concerned to take steps to improve their systems and processes.

Our Compliance and Regulatory Action Framework sets out the way in which our office intends to approach its regulatory and compliance activities.

Information for General Practices and health agencies affected by the breach

The Privacy Commissioner has issued a public advisory notice to all primary health providers affected by this breach.

In this case, given the scale of the incident, Manage My Health has notified OPC about the security breach and is providing OPC with information about the health agencies and practices affected. This means that individual practices do not also need to notify OPC. Primary care providers will be contacted directly as further information is required.

Everyone in New Zealand has privacy rights. Read about your privacy rights.

The Privacy Act places responsibility on organisations that collect, use or store your personal information to keep it safe and secure using all reasonable steps. Failure to take reasonable steps to protect your personal information against unauthorised access is a breach of the Privacy Act.  If you experience actual or potential privacy harm because of this, you can make a complaint under the Privacy Act. 

Information for people impacted 

Read our dedicated page about how to find out if you're impacted, how to secure your personal information, and how to make a privacy complaint.

What to do if you see or come across information that has been breached

NOTE – there are legal restrictions on accessing the affected information due to the court injunction that is in place.

As with any cybersecurity breach it’s important that should people receive or find information related to this issue, that they do the right thing and don’t spread it by sharing it further, they should also report it to the New Zealand Police.

Further updates

We will update this statement as the situation progresses. 

Back to top