January 30, 2026

Michael Webster: Privacy Commissioner Responds to Serious MyHealth Data Breach

Dale Husband Posted On January 30, 2026

Dale Husband Michael Webster: Privacy Commissioner Responds to Serious MyHealth Data Breach

The Privacy Commissioner is responding to one of the most serious health-data breaches in recent years, after hackers accessed and downloaded sensitive personal information from the Manage My Health database – raising urgent concerns about digital safety, accountability, and trust in New Zealand’s health systems.

Privacy Commissioner Michael Webster has confirmed his office is investigating the cyber-attack, which resulted in unauthorised access to highly sensitive health information, including medical documents, discharge summaries, and referral letters belonging to patients across Aotearoa.

While investigations are ongoing, the breach has highlighted significant vulnerabilities in digital health systems that store large volumes of personal information. Cyber-security experts say such attacks often exploit weaknesses in system protections, access controls, or outdated infrastructure – risks that grow as health providers rely more heavily on digital platforms.

The privacy impact for affected individuals is considered severe. Health information is among the most sensitive personal data, and its exposure can lead to distress, loss of trust, and potential misuse. The Commissioner says people whose information has been compromised should expect clear communication from service providers, guidance on protecting themselves from further harm, and access to appropriate support.

“This kind of information goes to the heart of a person’s dignity and wellbeing,” privacy advocates say. “When it’s breached, the consequences can be deeply personal.”

The incident has reignited wider concerns about the growing volume of personal data being collected and stored by government agencies and service providers – particularly in health, welfare, and education systems. As digital services expand, so too do the risks, prompting questions about whether protections are keeping pace with technological change.

Webster has previously warned that organisations must treat data protection as a core responsibility, not an afterthought. Agencies and service providers that collect personal information carry a high duty of care to ensure systems are secure, risks are assessed, and breaches are prevented wherever possible.

Privacy experts say when those protections fail, there must be meaningful consequences – including regulatory action, transparency, and system-wide improvements – to restore public confidence.

The MyHealth breach has also prompted calls for broader scrutiny of public health IT systems, particularly those holding sensitive patient data, to ensure vulnerabilities are identified and addressed before further harm occurs.

As the investigation continues, the Privacy Commissioner says accountability, transparency, and strong safeguards will be essential to protecting New Zealanders’ privacy in an increasingly digital health environment.

For many patients, the breach is a sobering reminder that while digital systems can improve access and efficiency, privacy and security must remain paramount.