Third-Party providers should be held liable for data breaches - Privacy Commissioner

NEWS  - eHealthNews editor Rebecca McBeth

The Office of the Privacy Commissioner (OPC) has recommended amendments to the Privacy Act that would hold third-party providers liable for security failures, even when they are collecting or storing data on behalf of another agency. 

The recommendation is part of a Phase 1 inquiry into the December 2025 Manage My Health breach, which resulted in the private health information of more than 99,000 New Zealanders being accessed, stolen and put up for sale.

"Third parties are increasingly playing a key role in the sharing, processing and storage of personal data," Privacy Commissioner Michael Webster says. 

"As such they are a target for malicious actors. It is critical they too are incentivised to put in place safeguards."

The report also recommends that the Ministry of Health set up a process for verifying and assuring that patient health portals such as Manage My Health meet health sector security standards.

“It is not practicable for every user, such as individual GP practices, to do their own separate security testing or assurance. Instead, providers should be checked and approved at a central level,” it says.

Altersec chief executive Faustin Roman says the OPC recommendation is overdue and the model already exists and works in other countries.

“Europe's GDPR makes processors directly liable for security alongside the controller, and Australia is moving the same way. New Zealand is now the outlier,”  he tells eHealthNews.

“Processor liability would give OPC a direct enforcement lever it currently lacks and reduce the unrealistic due-diligence burden on small principals like GP practices.”

However, he says this is not the whole answer and he was pleased to see the report also puts clear obligations on Government, the Ministry of Health and Health NZ.

“Health NZ is in a unique position here: it is both a respondent in this inquiry and the sector lead through the HISF standard. It is the agency best placed, and most obligated, to drive these reforms across the sector. It should lead from the front,” Roman says.

GPNZ deputy chair Justin Butcher says the OPC recommendation is a sensible and practical step.

“Small businesses such as general practices should not be left relying solely on contractual remedies when IT providers fail to meet appropriate standards,” he says.

An independent technical review of the MMH breach by CyberCX for the Ministry of Health recommends that Health New Zealand “comprehensively review and uplift its third party risk management practices”, saying the attack method was not technically sophisticated.

The breach happened when a hacker calling themselves Kazu used compromised user credentials to exploit flaws in an application programming interface to access stored data, which included clinical notes, intimate imagery and documents such as passport scans.

The review found Manage My Health was "unprepared for an incident of this nature", had "significant control failings" in its technology environment and were likely not aligned with the Health Information Security Framework requirements before the breach happened.

The inquiry also found Health New Zealand failed in its responsibilities and its contract with Manage My Health was "not fit for purpose," as it was generic rather than designed to reflect how information sharing would work and what was necessary to protect it.

The OPC review found GP practices were not liable for security failings that caused the breach, as they could not have prevented it and were not the source of stolen information. 

However, it sets out security safeguards it expects all GP practices to have in place when using patient portals.

Damon Campbell, chief operating officer, WellSouth Primary Health Network, says third-party digital health providers such as Manage My Health need to be held to the same standards as the health agencies they serve.

“The systemic lesson here is one the sector needs to take seriously: digital innovation in health is vital, but it cannot outpace the privacy and security frameworks that protect people,” he says.

Phase 2 of the inquiry will focus on the impacts of the breach, including whether patients were properly asked for authorisation before accounts were established, whether they received adequate information about the portal, and whether the breach caused disproportionate impact on Northland Māori.

Budget 2026 has committed more than $150 million in funding for cybersecurity in health over the next four years.

In his Budget statement health minister Simeon Brown said that over the next year, Health New Zealand will implement a programme to identify and manage cyber risks posed by third‑party vendors and systems, strengthen accountability for fixing security risks, introduce annual audits of critical systems, and use scalable tools, including AI-enabled assessments, to improve cyber security maturity across primary care.

If you would like to provide feedback on this news story, please contact the editor Rebecca McBeth.

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month.

Read more Information Governance news

Return to eHealthNews.nz home page