The Privacy Commissioner's initial Manage My Health report has relevance beyond healthcare.
The Manage My Health breach wasn’t just a hack or a technical lapse. It was a governance failure amplified by over-reliance on vendors.
That’s the message underpinning the findings of the Privacy Commissioner’s inquiry into the Manage My Health breach.
And it’s a message that should concern every New Zealand organisation handling personal information. And not only those in the health sector.
What happened?
Hackers accessed the Manage My Health (MMH) online portal used by healthcare providers to share information with patients. The health records of nearly 100,000 New Zealanders were stolen by the hackers, who demanded payment of a US$60,000 ($105,000) ransom.
About 91% of the people affected were from Northland because of a Health NZ project that used the MMH portal to deliver hospital documents in that region. Health NZ also actively encouraged patients and GP practices around the country to use MMH.
Privacy Commissioner Michael Webster described the breach as one of New Zealand’s biggest and worst. He emphasised that it caused “serious anxiety and distress for many people”.
MMH and Health NZ were found to have breached the Privacy Act and will be issued with compliance notices.
Not just a security issue
While MMH’s failures were mostly technical, Health NZ’s were human.
The report identified a range of privacy governance failures by Health NZ that contributed to the breach, including poor oversight, accountability, due diligence, risk assessment and contractual safeguards.
Good privacy cannot be achieved through security controls alone. Organisations need to understand and remain accountable for how they collect and handle personal information.
Relevance beyond healthcare
The Privacy Commissioner is clear that all agencies need to consider the findings, not just those in the health sector.
Many of the issues “will resonate and make you think about what you need to do to make sure the same thing couldn’t happen to you in the future”. That includes the following.
- Outsourcing services does not outsource accountability. The Commissioner warns that “simply relying on vendor assurances about their security profile is problematic”. Robust due diligence is essential.
- Privacy and security expertise is key to good privacy governance and oversight. And good governance is critical to understanding and managing privacy and security risks.
- Privacy impact assessments are essential tools for understanding privacy risks. The Privacy Commissioner found “serious problems with the quality of the privacy risk assessments” done by Health NZ, presenting “a lost opportunity” to test the effectiveness of privacy safeguards.
- Appropriate contractual safeguards need to be in place when engaging third-party providers to handle data.
Where to from here?
The Privacy Commissioner is recommending changes to the Privacy Act to make third-party service providers directly liable for ensuring reasonable security safeguards are in place for the personal information they process on behalf of customers.
At the moment, legal responsibility can be unclear when organisations outsource data handling functions to vendors and cloud platforms. The Office of the Privacy Commissioner is signalling this is no longer good enough, particularly where sensitive health information is involved.
Privacy law reform has also been suggested as part of the Cyber Security Action Plan 2026–2027 to incentivise the protection of personal information. That may include the introduction of a civil pecuniary penalty regime under the Privacy Act 2020.
All organisations should expect greater scrutiny
It’s also sensible to keep an eye out for phase two of the MMH inquiry, which will investigate the broader impacts of the breach, including transparency practices, data retention, notification communications and whether the breach caused a disproportionate impact on Northland Māori.
In short, organisations handling personal information should expect greater scrutiny of their privacy and security practices going forwards. Those who rely on digital services and third-party platforms should pay particular attention.
Don’t wait until new laws come in or a data breach before you act. Organisations that invest now in transparency, governance, privacy expertise and responsible practices will be better placed to adapt to increasing regulatory and public expectations.
Frith Tweedie, a Partner at Simply Privacy, is a former lawyer who helps clients develop robust privacy and AI governance practices. She has designed and implemented privacy and AI governance frameworks for a range of clients across both the private and public sectors. Tweedie was previously the general counsel and chief privacy officer at a local tech company and led the Australian and NZ Digital Law teams at EY Law. She is a member of the Government Chief Digital Officer’s AI Expert Advisory Panel and the IAPP’s AI Governance Centre global advisory board. She served as an elected member of the AI Forum NZ Executive Council from 2019 to 2025.
Catch up on the debates that dominated the week by signing up to our Opinion newsletter – a weekly round-up of our best commentary.