Source: Privacy Commissioner
27 May 2026, 05:01
The Privacy Commissioner has today released the findings of Phase 1 of his Inquiry into the December 2025 Manage My Health cyber incident which resulted in the sensitive health information of New Zealanders being accessed, stolen and put up for sale.
The Privacy Commissioner has found both Manage My Health and Health NZ failed in their responsibilities to ensure reasonable security safeguards were in place to protect patient information, meaning they breached Rule 5 of the Health Information Privacy Code, relating to the storage and security of information.
Northland patients have been particularly impacted by the breach. “Around 91 percent of affected people were patients of Northland hospitals and it is likely that many affected patients will be Māori.
“The reason so many people from Northland were caught up is because of a unique arrangement between Health NZ and Manage My Health in Northland to provide patients with access to hospital discharge information – it was not happening in hospitals in the rest of New Zealand. Unfortunately, the area where the discharge information is stored for patients was the part of the Manage My Health portal that was breached.
Other Northland hospital patient information like tab test results and referral documents were not stolen because they were stored in a different place in the Manage My Health portal that wasn’t affected by the hack.
“Digital innovation can unlock greater efficiencies and effectiveness in service delivery. Health innovations like patient portals can have significant benefits, particularly in remote areas. It is clear that Health NZ’s intention in setting up the Northland hospital arrangement with Manage My Health was to try and improve outpatient services and hospital efficiency. However, my inquiry has found that there were several problems with how patient information was managed which contributed directly to the breach.
“We are aware that both Manage My Health and Health NZ have made changes to make sure that patients’ health information is properly protected.
Given the inquiry’s findings I intend to issue compliance notices to Manage My Health and Health NZ, so that we can independently check that those improvements are working properly and they are in line with what the Health Information Privacy Code requires. This is the strongest tool I currently have available to me to respond to serious privacy breaches”, Privacy Commissioner Michael Webster said.
The second phase of the Inquiry, which is to commence soon, is focussed on understanding the real-world impacts of the cyber incident. As part of this phase the Inquiry team will be holding face-to-face meetings with affected Northland health practices and providers, including Māori health providers, to get a better understanding of the impacts on them and their patients.
Key Inquiry Findings – Health NZ
Health NZ should have taken more steps to make sure that it was safe to pass on the information to patients through MMH. Key points were:
- The project team that engaged with MMH did not include specialist privacy and security personnel, which was needed for a project of this type, scale and novelty.
- There was over-reliance on information from Manage My Health about the security and privacy of the health portal as opposed to doing independent checks.
- Poor quality internal privacy risk assessments meant that the project designers and decision makers were not sufficiently well informed about what was needed to share hospital information safely through the portal.
- The contract between Health NZ and Manage My Health was not fit for purpose. It was generic rather than being designed to reflect how the information sharing would work and what was necessary to protect the information.
This hospital discharge information project happened before the DHBs were restructured into Health NZ and the organisation works differently now, with more support available for privacy and security. The Commissioner’s compliance notice will check that those changes are working effectively.
“Sharing Northland patient information with Manage My Health was a novel and major project for Health NZ and it was their job to make sure their patients’ information was properly protected. “Patient portals can be an excellent way to enable Northland residents to access their own information, but they need to be confident that the information is as safe as possible”, Mr Webster said.
Key Inquiry Findings – Manage My Health
The breach wasn’t the result of a single security failure, but was due to a combination of problems, including:
- having several key gaps in security that allowed the attack to happen in the first place
- failing to have systems in place that would detect that large amounts of information were being accessed, so that steps could be taken to interrupt the hacker before so much information was stolen.
It also raised questions about the quality of Manage My Health’s overall approach to security design, as well as the quality of its risk management and governance practices.
Manage My Health has made various changes after the breach to make sure information in the portal was safe, and the compliance notice will check that they are working.
Key Inquiry Findings – GP practices
There is nothing that GP practices could have done to have prevented this breach and GPs were not the source of the information that was stolen. GPs are therefore not liable for this breach.
However, it could easily have been otherwise if a different area of the portal had been affected. The inquiry report therefore sets out reasonable security safeguards that the Office of the Privacy Commissioner expects GP practices to have in place. It is important for GP practices to review these findings to ensure that they can be confident that they’ve taken adequate steps to protect patient information.
Lessons for the Health sector
“This Inquiry provides many lessons for both the agencies involved and for the wider health sector into how the management of personal health information can be improved,” says Privacy Commissioner Michael Webster. These include:
- We strongly recommend that all patient health portal providers, and all health agencies that engage with them consider the findings carefully and review their own practices to make sure that they are meeting the expectations that we have set out.
- We expect agencies to take a systemic approach – ensuring they have access to skilled people, secure technical systems, appropriate policies and processes, an ability to detect if things go wrong, and sound governance.
- NCSC and Health Information Security Framework standards are useful indications of what is likely to be required under Rule 5 of the Health Information Privacy Code.
- Privacy needs to be built in from the start and be part of system design – not an afterthought or a check-box exercise.
- Over-reliance on a vendor’s information about its security and privacy risk profile can be problematic – a degree of independent assessment is essential.
- Privacy is not a ‘set and forget’ exercise, particularly in innovative and dynamic environments such as health services – review settings from time to time and ensure that controls are still in place and operating effectively
Next steps
The Inquiry into the Manage My Health cyber incident is being done in two phases. This report completes Phase 1. Now that cause and accountability have been resolved, my Office is now able to begin considering privacy complaints from people affected by the breach.
The scope and timing of Phase 2 will be announced shortly but is likely to include:
- Whether patients were properly asked for authorisation before a MMH account was established for them and information was stored in that account.
- Whether patients received adequate information about how the portal would be used.
- Retention and deletion of information within the portal:
- The quality of communications about the breach.
- Whether the notifications to OPC and to affected patients met the requirements of the Privacy Act.
- Whether the breach caused a disproportionate impact on any group, particularly Northland Māori.
As part of Phase 2 the Office of the Privacy Commissioner will engaging directly with affected Northland practices and providers, including Māori Health Providers, to understand the real-world impacts of the breach on them and their patients.