Source: Privacy Commissioner
This statement was updated on Friday, 9 January 2026.
We were notified on 1 January by Manage My Health (MMH) of a serious cyber security breach of its platform. We have been working with them and other relevant agencies as they contain and investigate the size and scope of the breach and identify and notify affected health agencies and individuals.
New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection. Failure to take all reasonable steps to ensure the security of personal information against loss, misuse or disclosure is a breach of the Privacy Act.
We expect Manage My Health and any other relevant health agencies to be able to demonstrate to the Privacy Commissioner, as the privacy regulator, that they had appropriate security safeguards in place, if not, why not, and what steps will be taken to prevent such an incident happening again.
We also expect them to demonstrate that they have taken appropriate steps to mitigate and respond to any harm caused to affected individuals. Failure to have taken reasonable steps to prevent a breach from occurring can result in compliance action, including directing the agencies concerned to take steps to improve their systems and processes.
It’s still early in the incident response process and our current focus is to support MMH and relevant health agencies in their response to the breach and notifying and supporting affected parties.
Our next step is assessing the further responsive action we need to take as the regulator under the Privacy Act. Given the scale of the incident, the sensitivity of the personal and health information affected and systemic issues being identified, it is likely that the Privacy Commissioner may decide an investigation is warranted, depending on further information being provided by MMH.
If so, this would likely include consideration of the root cause of the breach, MMH’s breach response, and whether all reasonable steps were taken to ensure the personal information was appropriately safeguarded. This could also include issues about the retention of health information on the platform and any broader issues around how sensitive personal health information is managed and shared within the health system.
Our Compliance and Regulatory Action Framework sets out the way in which our office intends to approach its regulatory and compliance activities.
Information for General Practices and health agencies affected by the breach
In this case, given the scale of the incident, Manage My Health has notified OPC about the security breach and is providing OPC with information about the health agencies and practices affected. This means that individual practices do not also need to notify OPC. Primary care providers will be contacted directly as further information is required.
Information for people impacted by the Manage My Health cyber incident
Everyone in New Zealand has privacy rights. Read about your privacy rights.
The Privacy Act places responsibility on organisations that collect, use or store your personal information to keep it safe and secure using all reasonable steps. Failure to take reasonable steps to protect your information against unauthorised access is a breach of the Privacy Act. If you experience actual or potential privacy harm because of this, you can make a complaint under the Privacy Act.
If you are a user of Manage My Health, you can log in to check if your information has been affected or not. You can also read the FAQs related to the cyber breach, update your password and set up multi-factor authentication.
- Manage My Health has set up an 0800 helpline.
- For emotional support, call or text 1737 Need to Talk? any time, for free.
- You can also contact your general practice if you have questions or concerns about your health information
Making a privacy complaint
If you wish to make a privacy complaint, you must first complain to the organisation responsible for your information under the Privacy Act and give them an opportunity to respond.
Manage My Health provides patient portal services on behalf of health providers and can also provide services directly to registered users. For this reason, we suggest you complain to both MMH and copy your health provider (usually your GP).
For Manage My Health, complaints can be sent to nzsupport@mmhglobal.com.
If you are not satisfied with their response/s and you believe that your privacy has been harmed, you can use our online complaint form to make a complaint to the Privacy Commissioner. You can find out about our complaints process from our website.
What to do if you see or come across information that has been breached
NOTE – there are legal restrictions on accessing the affected information due to the court injunction that is in place.
As with any cybersecurity breach it’s important that should people receive or find information related to this issue, that they do the right thing and don’t spread it by sharing it further, they should also report it to the New Zealand Police.
Further updates
We will update this statement as the situation progresses.
