New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

New Zealand Privacy Commissioner Michael Webster has released the findings of Phase 1 of his inquiry into the December 2025 Manage My Health cyber incident, in which sensitive patient information was accessed, stolen, and offered for sale.

The first phase of the inquiry focused on the causes of the breach and accountability. The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards for patient information.

The breach affected nearly 100,000 people and caused serious anxiety and distress for many of those impacted. Around 91% of affected patients were based in Northland, with the Commissioner noting that many were likely to be Māori.

The investigation found that a single failure did not cause the breach, but it was a combination of security weaknesses. Manage My Health had gaps in technical safeguards, lacked systems to detect large-scale access to information, and raised concerns about the quality of its security design and risk management practices.

Health NZ was criticised for not doing enough to ensure that Northland hospital patients’ information would be kept safe before arranging to share it through the Manage My Health portal. The inquiry found that the project team lacked specialist privacy and security expertise, relied too heavily on information from Manage My Health, used poor-quality internal privacy risk assessments, and operated under a contract that was not fit for purpose.

The Commissioner said he intends to issue compliance notices requiring both organisations to complete the remaining necessary work and to demonstrate that their security controls are effective in preventing similar incidents. He also recommended that the Ministry of Health establish a process for verifying and ensuring that patient portals meet health-sector security standards.

A second phase of the inquiry will examine the broader impacts of the breach, including patient authorisation, information provided to patients, retention and deletion practices, breach communications, notification compliance, and whether the incident had a disproportionate impact on any group, particularly Northland Māori.

Why does it matter?

The findings show how privacy and cybersecurity failures in health portals can create large-scale risks when sensitive patient data is shared through third-party systems. The case also raises a wider governance issue for digital health: agencies cannot rely only on vendor assurances when transferring large volumes of health information. Independent security assessment, privacy-by-design, effective contracts, and ongoing monitoring are becoming essential safeguards for digital health infrastructure.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!