Privacy commissioner announces inquiry into Manage My Health cyber breach

“New Zealanders rightly expect any agency collecting, holding, using or storing their sensitive health information to maintain high standards of privacy and data protection,” Webster said in the OPC’s media release. 

The OPC shared that it was presently consulting with the parties involved about the draft terms of reference, as required by the applicable legislation. The OPC added that it expected to release the relevant details on 28 January 2026. 

Prior statement

In a statement from earlier this month, the OPC announced that it learned about the cybersecurity breach of MMH’s platform on 1 January. The OPC noted that Webster would likely see the need for an investigation, depending on additional information from MMH. 

The OPC’s prior statement noted that the investigation would likely consider: 

• the breach’s root cause 
• MMH’s breach response 
• whether reasonable steps sought to ensure the protection of the pertinent personal information 
• issues regarding retaining health information on MMH’s platform 
• broader issues concerning the management and sharing of sensitive personal health information within the health system 

The OPC emphasised that failing to take reasonable steps to avoid breaches from occurring could merit compliance action, including a direction containing measures the affected agencies should adopt to enhance their systems and processes. 

In its prior statement, the OPC noted that it was supporting MMH and other relevant agencies, which were making efforts to contain and investigate the breach’s size and scope and identify and inform the impacted individuals and agencies. 

The OPC expressed its expectations for MMH and other health agencies to: 

• be ready to show the privacy commissioner whether they had the proper security safeguards in place and what steps would keep similar incidents from recurring 
• demonstrate their efforts to mitigate and address any harm to impacted individuals