Scope includes compliance with relevant framework, policies, processes
The Office of the Privacy Commissioner (OPC) has released the terms of reference for an independent inquiry under s 17(1)(i) of the Privacy Act, focusing on the cybersecurity breach impacting patient data within Manage My Health Limited’s (MMH) portal.
“As the independent privacy regulator, my Office will be asking the hard questions, not only on behalf of those whose personal health information has been stolen, but for all New Zealanders who need to be able [to] trust that our health information systems are safe and secure,” said Michael Webster, privacy commissioner, in a media release.
According to him, through the inquiry, he can investigate important privacy issues engaging the public interest, obtain information from relevant organisations or individuals, summon witnesses, and consider whether reasonable steps have ensured the proper protection of the sensitive information and how to improve safeguards.
Webster acknowledged that doubts have arisen about the privacy and security afforded to sensitive health information following the MMH cyber incident, especially amid the rise in cyber threats and the increasing utilisation of new technologies.
According to him, through portals and other digital health innovations, New Zealanders can have more visibility and ownership over their health information, as well as access important health services more swiftly and easily.
“But this cannot be at the expense of privacy and security,” Webster said. “For people to trust and benefit from digital health solutions, innovation and data protection must go hand in hand.”
In its media release, the OPC shared that the inquiry’s terms of reference include:
The OPC added that the inquiry may also address associated matters such as:
On the other hand, the inquiry would exclude certain responses – specifically, of the National Cyber Security Centre, police, and government agencies not within the inquiry’s scope – to the cyber breach, the ransom demand, and criminal matters.
The inquiry will transpire in two phases. In its media release, the OPC explained that the first phase, expected to wrap up by 30 April 2026, will cover:
The OPC noted that the findings in the first phase will influence its advisory or compliance response, including its investigation of any relevant complaints. The findings will also impact the scope and timing of the inquiry’s second phase.
On 1 January, MMH notified the OPC of the cyber incident.
On 5 January 2026, Health Minister Simeon Brown announced that the Ministry of Health would lead a review, beginning by 30 January, regarding MMH’s and Health New Zealand’s response to MMH’s serious cybersecurity breach involving patient information.
On 21 January 2026, Webster confirmed that he would commence an inquiry under s 17(1)(i) of the Privacy Act to delve into the breach.
