First phase of privacy commissioner inquiry finds breaches by Manage My Health, Health NZ

• include specialist privacy and security personnel – which was necessary for a project of this kind, scale, and novelty – in the team engaging with MMH 
• perform independent checks and instead relied too much on MMH’s information about the health portal’s security and privacy 
• conduct adequate internal privacy risk assessments, which meant that the project designers and decision-makers were not well-informed about the requirements for safely sharing hospital information via the portal 
• execute with MMH a fit-for-purpose contract reflecting how information-sharing would work and what would be necessary to keep information safe 

At this stage, the OPC saw no liability on the part of general practitioner (GP) practices for the security deficiencies that led to the breach. 

Insights for health sector

The OPC’s media release included insights from the inquiry’s first phase regarding how the health sector manages personal information. Specifically, the OPC: 

• expects health agencies to take a systemic approach to ensure their access to skilled personnel, sound governance, proper policies and processes, secure technical systems, and an ability to detect failures in the system 
• recommends that all patient health portal providers and all the health agencies engaging with them carefully study the inquiry’s findings and reassess their practices to ensure their compliance with the OPC’s expectations 
• considers the National Cyber Security Centre standards and the health information security framework standards useful indications of the likely requirements under r 5 of the Health Information Privacy Code 2020 
• calls for some degree of independent assessment rather than relying excessively on a vendor’s information regarding its security and privacy risk profile 
• stresses the importance of incorporating privacy in the system design from the outset and not merely as an afterthought or as a check-box exercise 

“Privacy is not a ‘set and forget’ exercise, particularly in innovative and dynamic environments such as health services – review settings from time to time and ensure that controls are still in place and operating effectively,” the OPC’s media release stated. 

Inquiry’s final phase

For the inquiry’s second phase, the OPC will focus on the breach’s consequences, including privacy complaints from those impacted, meetings with affected health providers in Northland, and potential further compliance action in the event of breaches of the Privacy Act 2020. 

The OPC noted that the second phase’s scope and timeline, which it would announce soon, would likely cover:

• whether patients properly provided authorisation before the creation of MMH accounts on their behalf and the storage of information in those accounts 
• whether patients received sufficient information regarding how the portal worked 
• how the portal retained and deleted information 
• whether there were quality communications about the breach 
• whether the notifications to the OPC and impacted patients abided by the Privacy Act 
• whether the breach disproportionately affected certain groups, particularly Northland Māori 
• what was the nature of these disproportionate impacts, if any 
• what were the obligations of GP practices when using patient health portals 

Context of inquiry

On 1 January 2026, MMH notified the OPC of the cyber incident. 

On 5 January 2026, Health Minister Simeon Brown announced that the Ministry of Health would lead a review, beginning by 30 January, regarding MMH’s and Health NZ’s response to MMH’s cybersecurity breach involving patient information. 

On 21 January 2026, Webster confirmed that he would commence an inquiry under s 17(1)(i) of the Privacy Act to delve into the breach. On 27 January 2026, he published the terms of reference for his inquiry.