Privacy commissioner to monitor security upgrades after Manage My Health hack

· RNZ
Manage My Health didn't have adequate security controls, the Privacy Commissioner has found.Photo: RNZ / Finn Blackwell

Health NZ and patient portal Manage My Health "failed in their responsibilities" to have adequate security controls when hundreds of thousands of medical files were stolen in a cyber attack, the Privacy Commissioner has found.

Described as one of the country's biggest cybersecurity incidents, the hack obtained access to sensitive health data held by privately owned patient portal Manage My Health in December last year.

Reviews were subsequently commissioned by Health NZ, Ministry of Health and the Office of the Privacy Commissioner.

In findings released on Wednesday, commissioner Michael Webster found both Manage My Health and Health NZ had deficient security safeguards in place to protect patient information.

Both organisations had breached principle 5 of the Privacy Act, Webster said.

"My inquiry has found that there were several problems with how patient information was managed. This incident released the sensitive health information of nearly 100,000 New Zealanders and has caused serious anxiety and distress for many people."

More than 70 percent of those impacted by the Manage My Health breach were based in Northland.

"The reason so many Northland patients were caught up in the breach was because of a unique arrangement between Health NZ and Manage My Health in Northland involving hospital discharge information. It was not happening in hospitals in the rest of the country," Webster said.

The commissioner was due to issue compliance notices to Manage My Health and Health NZ, a move utilised for the most serious privacy breaches.

"While both Manage My Health and Health NZ have already made changes to their security settings, compliance notices will formally require both of them to complete any necessary remaining work and demonstrate to my satisfaction that all changes are working effectively," Webster said.

"In particular, several of Manage My Health's technical security safeguards were inadequate at the time the breach occurred. We recognise that Manage My Health has made several important changes, but we want to independently check what has been done and that the changes provide effective protection against similar types of attacks in future."

Privacy commissioner Michael Webster.Photo: VNP / Phil Smith

The commissioner said the cybersecurity breach was not the result of a single security failure, but was due to a combination of problems.

Webster said Manage My Health failed to have systems in place that would detect large amounts of information being accessed, so that steps could be taken to interrupt the hacker before so much information was stolen.

He said Health NZ should have taken more steps to make sure that it was safe to pass on the information to patients through Manage My Health.

Two further reports commissioned by health officials - released on Wednesday - also found cybersecurity failures leading to the breach.

Deloitte's report for Health NZ found security across the digital health landscape was "inconsistent and insufficient".

It said stored information was vulnerable because of the health agency's over-reliance on third-party arrangements.

"Information security can be compromised at any point in this complicated web of relationships, and with the waning public trust of health technology following three significant breaches in 2026 so far, this demands a sector-wide response if we want to confidently keep New Zealanders' health data safe."

A report by CyberCX for the Ministry of Health said Manage My Health was unprepared for an incident of this nature, had significant control failings in its technology environment, and was likely not aligned with [Health Information Security] requirements prior to the breach occurring.

It said the breach served as a call to action for the health sector, and New Zealand organisations generally, to improve cybersecurity controls and governance.

Health NZ responds

Health NZ said it welcomed the reports  into the cyber attack and was committed to ensuring all possible steps were taken to safeguard patient information.

Chief financial officer Bevan McKenzie said it accepted the Privacy Commissioner's findings that more should have been done to protect patient information.

"People expect their personal health information to be securely stored, and Health NZ and the rest of the health sector must ensure that is done. On this occasion patients were let down and that is unacceptable.

"We know some patients will have been surprised to discover their health information was stored in the MMH system without their knowledge. We apologise for this and any distress caused."

Health NZ chief financial officer Bevan McKenzie.Photo: RNZ / Dan Cook

In light of the commissioner's report, Health NZ had halted the flow of information from Northland district to the Manage My Health portal.

"Measures are being put in place to ensure Northland patients can immediately be provided a paper copy of their discharge summary after a hospital visit, and that patient services are not impacted," McKenzie said.

"While ensuring people have timely access to their own health information is a priority for Health NZ, safeguarding the security of that information must always remain paramount.

"This does not impact patient access to MMH patient portals and their general practice related clinical records, appointments, and repeat prescription services."

Manage My Health apologises

In a statement, Manage My Health said it acknowledged the serious nature of the cyber attack and the distress and concern it caused patients, healthcare providers and the wider community.

"We apologise for this occurrence and for the impact it has had on those affected.

"The reports confirm that this was a deliberate criminal attack by an unauthorised third party involving the use of compromised credentials and the exploitation of a specific vulnerability. The affected data was limited to the "My Health Documents" area of the platform, with no evidence of compromise to core patient portal systems and their integration with GP practice management systems. We recognise that any breach of trust is significant and we take that responsibility seriously."

Manage My Health said it had undertaken a comprehensive programme of security and operational improvements, including mandatory multi-factor authentication for all users, enhanced real-time monitoring and alerting capability, strengthened access controls, and expanded independent security testing across the platform.

"We are continuing to work constructively with regulators and sector partners to demonstrate that our controls are in place and operating effectively."

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.

Related Stories

Manage My Health data breach: A timeline of what happened, and everything we know so farAt the end of 2025 hackers got access to health data being held by privately owned patient portal Manage My Health.Dan Satherley, 14 Jan 2026Manage My Health ignored warning about lax security system - cyber-security expertIT experts allege the health portal ignored warnings about vulnerabilities for years - but the regulatory vacuum meant it wasn't required to take action.Ruth Hill, 14 Jan 2026MediMap failings likely to be canvassed as part of Manage My Health reviewThe prescription portal is now being brought back online after it was discovered patient information had been changed during a recent data breach.Kate Green, 03 Mar 2026Cybersecurity group identifies person behind Manage My Health hackThe International Online Crime Coordination Centre has been tracking the hacker following the breach.Finn Blackwell, 10 Feb 2026Cyber-security expert launches petition to Parliament calling for harsher penalties for privacy breachesIt comes in the wake of the major Manage My Health data breach.Kim Baker Wilson, 14 Jan 2026