Ministry review to examine technical failures in MMH breach

NEWS - eHealthNews.nz editor Rebecca McBeth

The Ministry of Health will start a review of the Manage My Health cyber security incident and the response at the end of this month, with a final report expected by 30 April.

Privacy Commissioner Michael Webster has also announced an independent inquiry under the Privacy Act to examine compliance and governance arrangements surrounding the breach.

The Ministry review will look at why critical vulnerabilities remained unaddressed before hackers accessed the personal health information of more than 120,000 New Zealanders on 30 December 2025.

It will also determine whether vulnerabilities found in Manage My Health could be present in other patient portals used across the country.

Health Minister Simeon Brown commissioned the review following the breach involving the patient portal used by which has 1.8 million registered users.

"Patient data is incredibly personal and whether it is held by a public agency or a private company, it must be protected to the highest of standards," Brown said in his announcement.

The Ministry has now published detailed Terms of Reference, outlining the scope of work developed in partnership with the Government Chief Digital Officer and the National Cyber Security Centre.

The technical assurance assessment will focus on the vulnerability in Manage My Health's Health Documents module and examine why it remained unaddressed despite the platform handling sensitive medical information.

The review will evaluate the portals’ security controls against industry norms and “assess whether the sensitivity of stored information was matched by appropriate protection standards”, the terms of reference say.

It will look at the company's capability and capacity to manage a critical health records platform securely, examining data lifecycle management and retention practices that left historical data on internet-facing infrastructure.

The investigation will also “assess the adequacy, timeliness, coordination, and escalation of response actions by MMH and Health NZ”.

The Privacy Commissioner's inquiry will determine whether appropriate security safeguards were in place and examine steps needed to prevent similar incidents.

"Given the scale of the incident, the sensitivity of the information and some of the systemic issues being identified, it's clear to me we need to investigate the privacy issues involved," Webster says.

His inquiry will establish the circumstances of the cyber security breach, examine impacts on affected people, and assess compliance with relevant standards and the Privacy Act.

This includes reviewing policy, contractual, and governance arrangements between Manage My Health, Health NZ, primary care providers, and other health sector agencies.

All reviews and investigations into the incident will coordinate to minimise duplication while maintaining independence, the documents say.

The Ministry review will produce an interim findings report highlighting key issues requiring urgent attention, followed by a comprehensive final report containing full findings, root cause analysis, and actionable recommendations to prevent similar incidents.

If you would like to provide feedback on this news story, please contact the editor Rebecca McBeth.

Read more Information Governance news

Return to eHealthNews.nz home page