Manage My Health and Health NZ breached Privacy Act

NEWS  - eHealthNews editor Rebecca McBeth

The Ministry of Health and Health New Zealand are strengthening cyber security across the health system following independent reviews into the Manage My Health cyber incident, which resulted in the private health information of 99,000 New Zealanders being accessed, stolen and put up for sale.

Privacy Commissioner Michael Webster has found both Manage My Health and Health NZ breached the Privacy Act by failing to maintain reasonable security safeguards to protect patient information. 

The breach occurred on 21 December 2025, when a hacker using compromised credentials exploited a vulnerability in Manage My Health's application programming interface to extract more than 400,000 patient documents. 

Webster says the theft of this highly personal information caused significant anxiety and distress for patients.

More than 90 percent of those affected are in Northland, many of whom are likely to be Māori. This is because of a unique arrangement between Health NZ and Manage My Health involving hospital discharge information, which was not happening in other hospitals.

Ministry of Health chief medical officer Joe Bourne says a Ministry review found the breach was largely preventable and identified weaknesses in technical controls, incident preparedness, and communications.

"This incident has highlighted clear areas where the system needs to improve, and our focus is now on learning from it and implementing these changes at pace," he says.

The Privacy Commissioner will issue compliance notices to both Manage My Health and Health NZ, which he says are the strongest tools currently available to respond to serious privacy breaches. 

"Several of Manage My Health's technical security safeguards were inadequate at the time the breach occurred," Webster says. 

"We want to independently check what has been done and that the changes provide effective protection against similar types of attacks in future."

Phase 1 of the commissioner’s report found the cybersecurity breach was not the result of a single security failure but was due to a combination of problems. Manage My Health had several key gaps in security that allowed the attack to happen and failed to have systems in place that would detect large amounts of information being accessed.

It says that Health NZ should have taken more steps to ensure it was safe to pass information to patients through the portal. The project team that engaged with Manage My Health did not include specialist privacy and security personnel, which was needed for a project of this type, scale and novelty.

"There was over-reliance on information from Manage My Health about the security and privacy of the health portal as opposed to doing independent checks," the Privacy Commissioner's report says.

Ministry of Health chief information officer Quin Carver says the Ministry and Health New Zealand are taking action, including working with Manage My Health to get independent assurance of post-incident security improvements and strengthening expectations for suppliers holding sensitive health information.

The Ministry is reviewing how the Health Information Security Framework is applied and monitored in practice and establishing clearer roles and processes for patient notification during cyber incidents. A desktop review of other major patient portals is underway, along with developing a system-wide action plan.

An independent review commissioned by the Ministry makes 26 recommendations, including; stronger third-party cyber risk management and independent assurance, clearer system-wide processes for patient notification, improved visibility of supply chain risks, and enhanced incident preparedness.

Bourne says the Ministry has accepted all the report's recommendations. Three actions are complete, five have been actioned with the Ministry awaiting external confirmation they are complete, 12 are underway and a further six are being planned.

Health NZ chief financial officer Bevan McKenzie says the organisation accepts the Privacy Commissioner's overarching finding that more should have been done to protect patient information.

"People expect their personal health information to be securely stored, and Health NZ and the rest of the health sector must ensure that is done," McKenzie says. 

"On this occasion patients were let down and that is unacceptable."

Health NZ has stopped the flow of information from Northland district to Manage My Health because of the Privacy Commissioner's findings and measures are being put in place to ensure Northland patients can immediately be provided a paper copy of their discharge summary after a hospital visit, and that patient services are not impacted.

The Privacy Commissioner recommends the Ministry of Health should establish a process for verifying and assuring that patient health portals meet health sector security standards. The report also recommends amending the Privacy Act to allow third-party providers who do not meet reasonable security safeguards to be held liable.

"Third parties are increasingly playing a key role in the sharing, processing and storage of personal data," Webster says. 

"As such they are a target for malicious actors. It is critical they too are incentivised to put in place safeguards."

Bourne says protecting people's health information is fundamental to trust in the health system and that strong governance, clear accountability, and independent assurance are essential to reducing cyber risk.

Image: Privacy Commissioner Michael Webster

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page