New Zealand’s Privacy Commissioner has found that Te Whatu Ora Health NZ and Manage My Health Limited failed to meet their obligations to protect sensitive health information, following an investigation into what has been described as one of the country’s largest known data breaches affecting personal medical records. The findings relate to a cyberattack on the Manage My Health patient portal in December, which impacted nearly 100,000 people.
The Office of the Privacy Commissioner (OPC) concluded that both organisations breached Rule 5 of the Health Information Privacy Code, which requires adequate safeguards for personal health data. As a result, both are expected to receive compliance notices requiring them to demonstrate how they will address the identified security shortcomings.
Scale and nature of the breach
The inquiry found that approximately 99,416 patients were affected, a revised figure down from an earlier estimate of 126,000. Around 91% of those impacted were based in Northland, where Te Whatu Ora had a specific arrangement with Manage My Health to make certain hospital records available through the portal.
Attackers reportedly used valid but stolen patient credentials to access the system. Once inside, they were able to view and copy documents from thousands of other patient accounts. The compromise was limited to the portal’s “My Health Documents” module, but still exposed a wide range of sensitive data, including hospital discharge summaries, patient-uploaded documents, and personal identifiers such as names, dates of birth, National Health Index (NHI) numbers, addresses, email addresses, and phone numbers.
Security gaps and organisational failures
Investigators concluded the breach was not caused by a single failure at Manage My Health Limited, but rather a combination of security weaknesses that increased both the likelihood and impact of the attack. Although multifactor authentication was available, it was not mandatory. In addition, identity and access management controls and web security protections were found to be insufficiently robust.
Earlier testing had already identified recurring security risks that were not properly resolved before the incident. Manage My Health Limited also failed to detect the attackers’ activity internally and only became aware of the breach after being alerted by Te Whatu Ora.
The company has since made multifactor authentication compulsory, addressed the exploited vulnerability, and begun updating governance structures, policies, and contracts. However, the Privacy Commissioner has not yet independently verified these changes.
A separate Ministry of Health review, published shortly after, also concluded the breach was largely preventable, pointing to significant security control gaps, weaknesses in incident response, and poor communication planning.
Governance concerns and systemic response
The OPC also examined Te Whatu Ora’s Northland arrangement with Manage My Health, which enabled hospital data to be shared via the portal. It found that this exposed large volumes of sensitive information and required exceptionally strong governance, risk management, and oversight.
However, the inquiry identified shortcomings in due diligence, privacy risk assessments, contract design, and programme governance. There was also an overreliance on assurances from Manage My Health Limited, and no dedicated privacy or security representation on the project steering group. Contracts were described as not fit for purpose and lacking adequate protections for patient data.
In response, Te Whatu Ora has stopped the data flow from Northland to the portal following further due diligence. It is also enabling paper-based discharge summaries for Northland patients, strengthening procurement templates, and enhancing privacy and security assessment processes, alongside broader reviews of patient portal providers.
Oversight, legal reform, and future inquiries
The OPC noted that general practices were unlikely to be legally responsible for the stolen data, as they did not control the compromised module, though it warned responsibility could easily have fallen differently depending on circumstances.
The Commissioner called for stronger central oversight of health technology providers, arguing there is currently no unified system to verify supplier cybersecurity standards. It recommended that the Ministry of Health establish an ongoing national programme to assess vendor security, rather than relying on individual providers such as GP practices.
Ministry of Health Chief Medical Officer Dr Joe Bourne confirmed that all 26 recommendations from its own review—supported by independent assessments from Bastion Security Group and CyberCX—have been accepted. The ministry is now working towards a more consistent, system-wide approach to validating cybersecurity standards across the sector.
The OPC also recommended changes to the Privacy Act to make third-party providers directly accountable for safeguarding personal data when processing it on behalf of other organisations.
A second phase of the inquiry will examine consent practices, user transparency, data retention and deletion policies, and whether breach notifications were properly handled. Meanwhile, recent incidents involving MediMap in February and IntraCare in March highlight a wider pattern of cybersecurity challenges across New Zealand’s healthcare technology sector.New Zealand’s Privacy Commissioner has found that Te Whatu Ora Health New Zealand and Manage My Health Limited failed to meet their obligations to protect sensitive health information, following an investigation into what has been described as one of the country’s largest known data breaches affecting personal medical records. The findings relate to a cyberattack on the Manage My Health patient portal in December, which impacted nearly 100,000 people.
The Office of the Privacy Commissioner (OPC) concluded that both organisations breached Rule 5 of the Health Information Privacy Code, which requires adequate safeguards for personal health data. As a result, both are expected to receive compliance notices requiring them to demonstrate how they will address the identified security shortcomings.
Scale and nature of the breach
The inquiry found that approximately 99,416 patients were affected, a revised figure down from an earlier estimate of 126,000. Around 91% of those impacted were based in Northland, where Te Whatu Ora had a specific arrangement with Manage My Health to make certain hospital records available through the portal.
Attackers reportedly used valid but stolen patient credentials to access the system. Once inside, they were able to view and copy documents from thousands of other patient accounts. The compromise was limited to the portal’s “My Health Documents” module, but still exposed a wide range of sensitive data, including hospital discharge summaries, patient-uploaded documents, and personal identifiers such as names, dates of birth, National Health Index (NHI) numbers, addresses, email addresses, and phone numbers.
Security gaps and organisational failures
Investigators concluded the breach was not caused by a single failure at Manage My Health Limited, but rather a combination of security weaknesses that increased both the likelihood and impact of the attack. Although multifactor authentication was available, it was not mandatory. In addition, identity and access management controls and web security protections were found to be insufficiently robust.
Earlier testing had already identified recurring security risks that were not properly resolved before the incident. Manage My Health Limited also failed to detect the attackers’ activity internally and only became aware of the breach after being alerted by Te Whatu Ora.
The company has since made multifactor authentication compulsory, addressed the exploited vulnerability, and begun updating governance structures, policies, and contracts. However, the Privacy Commissioner has not yet independently verified these changes.
A separate Ministry of Health review, published shortly after, also concluded the breach was largely preventable, pointing to significant security control gaps, weaknesses in incident response, and poor communication planning.
Governance concerns and systemic response
The OPC also examined Te Whatu Ora’s Northland arrangement with Manage My Health, which enabled hospital data to be shared via the portal. It found that this exposed large volumes of sensitive information and required exceptionally strong governance, risk management, and oversight.
However, the inquiry identified shortcomings in due diligence, privacy risk assessments, contract design, and programme governance. There was also an overreliance on assurances from Manage My Health Limited, and no dedicated privacy or security representation on the project steering group. Contracts were described as not fit for purpose and lacking adequate protections for patient data.
In response, Te Whatu Ora has stopped the data flow from Northland to the portal following further due diligence. It is also enabling paper-based discharge summaries for Northland patients, strengthening procurement templates, and enhancing privacy and security assessment processes, alongside broader reviews of patient portal providers.
Oversight, legal reform, and future inquiries
The OPC noted that general practices were unlikely to be legally responsible for the stolen data, as they did not control the compromised module, though it warned responsibility could easily have fallen differently depending on circumstances.
The Commissioner called for stronger central oversight of health technology providers, arguing there is currently no unified system to verify supplier cybersecurity standards. It is recommended that the Ministry of Health establish an ongoing national programme to assess vendor security, rather than relying on individual providers such as GP practices.
Ministry of Health Chief Medical Officer Dr Joe Bourne confirmed that all 26 recommendations from its own review—supported by independent assessments from Bastion Security Group and CyberCX—have been accepted. The ministry is now working towards a more consistent, system-wide approach to validating cybersecurity standards across the sector.
The OPC also recommended changes to the Privacy Act to make third-party providers directly accountable for safeguarding personal data when processing it on behalf of other organisations.
A second phase of the inquiry will examine consent practices, user transparency, data retention and deletion policies, and whether breach notifications were properly handled. Meanwhile, recent incidents involving MediMap in February and IntraCare in March highlight a wider pattern of cybersecurity challenges across New Zealand’s healthcare technology sector.
Also Read:- Kroger Pharmacy: Your Neighborhood’s Trusted Health Partner with Reliable Hours
