The Privacy Commissioner has found both Health New Zealand and Manage My Health failed to properly protect the sensitive health information of nearly 100,000 New Zealanders caught up in last year’s major cyber breach.
Privacy Commissioner Michael Webster today released the findings of Phase One of an official inquiry into the December 2025 cyber attack that exposed private medical information and placed it up for sale online. The inquiry focused on what caused the breach and who was accountable.
The report found both organisations breached Rule 5 of the Health Information Privacy Code by failing to maintain reasonable security safeguards to protect patient data.
The Commissioner said the breach caused major distress and anxiety for affected patients, with the impacts felt most heavily in Te Tai Tokerau. Around 91 percent of affected patients were based in Northland, many of them Māori.
The inquiry found the large number of Northland patients affected was linked to a unique arrangement between Health NZ and Manage My Health involving hospital discharge information being shared through the patient portal — a process not used elsewhere in the country.
The Privacy Commissioner says compliance notices will now be issued to both Health NZ and Manage My Health, requiring further security improvements and proof that safeguards are operating effectively.
Investigators found the cyber attack was not caused by a single failure, but by a combination of weak security systems, poor monitoring capability and inadequate risk management practices.
The inquiry also criticised Health NZ for failing to include specialist privacy and cyber security staff in the Northland digital project and relying too heavily on assurances provided by Manage My Health rather than carrying out independent checks.
The report found contracts between Health NZ and Manage My Health were generic and not designed to properly manage the sharing of highly sensitive health information.
While GP practices were cleared of responsibility for the breach itself, the Commissioner warned all practices using patient portals should review their security arrangements and ensure they meet privacy obligations.
The inquiry is also calling for stronger national oversight of patient portals, recommending the Ministry of Health establish a central approval and assurance system for providers handling sensitive health information.
The report further recommends changes to the Privacy Act so third-party companies handling personal data can be held directly liable when they fail to maintain proper security protections.
Phase Two of the inquiry will now examine the wider impacts of the breach, including whether patients gave proper consent for accounts to be created, whether communication during the crisis was adequate, and whether Māori communities in Northland suffered disproportionate harm.
The Commissioner says the breach should serve as a warning to the entire health sector, stressing privacy and cyber security must be built into digital systems from the start rather than treated as an afterthought.
Privacy Commissioner Michael Webster has today released the results of Phase 1 of his
Inquiry into the December 2025 Manage My Health cyber incident in which the sensitive
health information of New Zealanders was accessed, stolen and put up for sale. Phase 1 has focussed on what caused the breach and who was accountable.
New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive
health information to maintain high standards of privacy and data protection. The Inquiry has
found both Manage My Health and Health NZ failed in their responsibilities to have reasonable security safeguards in place to protect patient information, meaning they breached Rule 5 of the Health Information Privacy Code, relating to the storage and security of information.
“My inquiry has found that there were several problems with how patient information was
managed. This incident released the sensitive health information of nearly 100,000 New
Zealanders and has caused serious anxiety and distress for many people.
The effects are concentrated in Northland with around 91 percent of affected patients based
there, many of whom are likely to be Māori.”
“The reason so many Northland patients were caught up in the breach was because of a
unique arrangement between Health NZ and Manage My Health in Northland involving
hospital discharge information – it was not happening in hospitals in the rest of the country.
Given the Inquiry’s finding, the Privacy Commissioner intends to issue compliance notices to
Manage My Health and Health NZ. “Compliance notices are the strongest tool I have currently have available to me to respond to serious privacy breaches”, Mr Webster said.
“While both Manage My Health and Health NZ have already made changes to their security
settings, compliance notices will formally require both of them to complete any necessary
remaining work and demonstrate to my satisfaction that all changes are working effectively.
“In particular, several of Manage My Health’s technical security safeguards were inadequate
at the time the breach occurred. We recognise that Manage My Health has made several
important changes, but we want to independently check what has been done and that the
changes provide effective protection against similar types of attacks in future.
“Also, we consider that Health NZ should have done more to make sure that Northland
hospital patients’ information would be safe before arranging to send it to patients through the Manage My Health portal. This was a novel digital project involving transfers of large
amounts of health information. Health NZ’s structure and processes are different now and it
has made many improvements.”
While the inquiry has focused on the Manage My Health breach, it is important for other
health agencies, including other third-party providers, to look at the findings and ask
themselves what they need to do to make sure the same thing couldn’t happen to them.
“Digital innovation can unlock greater efficiencies and effectiveness in service delivery.
Patient health portals are an important part of the health sector and can improve privacy by
enabling people to access their own information easily. But it’s important to make sure the
portals are as safe as possible. Patients need to be able to trust that their sensitive health
information is being protected. Lessons need to be learnt across the health sector to stop
these types of breaches from happening again,” says the Commissioner.
In particular, the report recommends that the Ministry of Health should set up a process for
verifying and assuring that patient health portals such as Manage My Health meet health
sector security standards. It is not practicable for every user, such as individual GP
practices, to do their own separate security testing or assurance. Instead, providers should
be checked and approved at a central level.
The inquiry also recommends that the Privacy Act be amended to allow third party providers
who do not meet reasonable security safeguards to be held liable, even where they are
collecting, storing or processing on behalf of another agency. “Third parties are increasingly
playing a key role in the sharing, processing and storage of personal data. As such they are
a target for malicious actors. It is critical they too are incentivised to put in place safeguards”.
Key Inquiry Findings – Manage My Health
The cybersecurity breach was not the result of a single security failure, but was due to a
combination of problems, including:
• Manage My Health had several key gaps in security that allowed the attack to
happen.
• It failed to have systems in place that would detect that large amounts of information
were being accessed, so that steps could be taken to interrupt the hacker before so
much information was stolen.
The inquiry also raised questions about the quality of Manage My Health’s overall approach
to security design, as well as the quality of its risk management practices.
Key Inquiry Findings – Health NZ
Most of the information that was stolen from Manage My Health was information sourced
from hospitals in Northland. Health NZ should have taken more steps to make sure that it
was safe to pass on the information to patients through MMH. Key points were:
• The project team that engaged with MMH did not include specialist privacy and
security personnel, which was needed for a project of this type, scale and novelty.
• There was over-reliance on information from Manage My Health about the security
and privacy of the health portal as opposed to doing independent checks.
• Poor quality internal privacy risk assessments meant that the project designers and
decision makers were not sufficiently well informed about what was needed to share
hospital information safely through the portal.
• The contract between Health NZ and Manage My Health was not fit for purpose. It
was generic rather than being designed to reflect how the information sharing would
work and what was necessary to protect the information.
Key Inquiry Findings – GP practices
There is nothing that GP practices could have done to have prevented this breach and they
were not the source of the information that was stolen. GP practices are therefore not liable
for security failings that caused this particular breach. However, if another area of the portal had been affected, it could have been otherwise. So,
the inquiry report sets out reasonable security safeguards that the Office of the Privacy
Commissioner expects all GP practices to have in place when using patient portals. Even if
their patients haven’t been affected by the breach, it is important for all GP practices to
review these findings to ensure that they can be confident that they’ve taken adequate steps
to protect patient information. The second phase of the Inquiry, which is to commence soon, is also likely to look into
further questions about GP’s obligations when using patient health portals including what
patients are told and how authorisation is obtained to set up accounts.
Lessons for the health sector
The Inquiry includes lessons for how the health sector manages personal information; including:
• We strongly recommend that all patient health portal providers, and all health
agencies that engage with them, consider the findings carefully and review their own
practices to make sure that they are meeting the expectations that we have set out.
• We expect agencies to take a systemic approach – ensuring they have access to
skilled people, secure technical systems, appropriate policies and processes, an
ability to detect if things go wrong, and sound governance.
• NCSC and Health Information Security Framework standards are useful indications
of what is likely to be required under Rule 5 of the Health Information Privacy Code.
• Privacy needs to be built in from the start and be part of system design – not an
afterthought or a check-box exercise.
• Over-reliance on a vendor’s information about its security and privacy risk profile can
be problematic – a degree of independent assessment is essential.
Next steps
• Privacy is not a ‘set and forget’ exercise, particularly in innovative and dynamic
environments such as health services – review settings from time to time and ensure
that controls are still in place and operating effectively.
Next steps
The Inquiry into the Manage My Health cyber incident is being done in two phases. Phase 1
of the Inquiry has focussed on causes and accountability. Phase 2 will focus on the impacts
of the breach. This report completes Phase 1. OPC is now able to begin considering privacy
complaints from people affected by the breach.
The scope and timing of Phase 2 will be announced shortly but is likely to include:
• Whether patients were properly asked for authorisation before a MMH account was
established for them and information was stored in that account.
• Whether patients received adequate information about how the portal would be used.
• Retention and deletion of information within the portal:
• The quality of communications about the breach.
• Whether the notifications to OPC and to affected patients complied with the Privacy Act.
• Whether the breach caused a disproportionate impact on any group, particularly
Northland Māori, and the nature of these impacts.
Phase 2 will gather information to assess the impacts of the breach, including meetings with
affected health providers in Northland. Phase 2 may result in further compliance action
where it is demonstrated that breaches of the Privacy Act have occurred.
