Privacy Watchdog Faults Operator, Health NZ over Manage My Health Hack

The Manage My Health incident underscores how a single vulnerable portal can jeopardize the privacy of tens of thousands of patients. Hackers leveraged stolen credentials to infiltrate the My Health Documents module, extracting discharge summaries, NHI numbers and contact details. While multi‑factor authentication existed, it was optional, and broader identity‑and‑access management controls were deemed ineffective. This combination of technical lapses and insufficient contractual protections allowed the breach to scale rapidly, particularly affecting Northland where the portal was heavily used.

Regulators responded swiftly, with the Office of the Privacy Commissioner issuing compliance notices and recommending a centralized oversight framework for health‑technology suppliers. The commissioner highlighted the absence of a national process to verify that vendors meet security standards, urging the Ministry of Health to create an ongoing validation programme. Parallel recommendations from a Ministry of Health review call for 26 specific security improvements, ranging from contract reform to enhanced incident‑response capabilities. Together, these actions aim to close the governance gaps that allowed the breach to occur and to shift responsibility for security from individual GP practices to a more coordinated, sector‑wide approach.

The breach arrives amid a string of cyber incidents targeting New Zealand’s health sector, including attacks on MediMap and IntraCare. These events have amplified pressure on policymakers to modernize the country’s health‑data protection regime. Proposed amendments to the Privacy Act would make third‑party service providers directly liable for reasonable security safeguards, aligning legal accountability with the technical realities of cloud‑based health services. For providers, the lesson is clear: robust authentication, rigorous contract terms, and proactive security testing are no longer optional but essential to maintaining patient trust and regulatory compliance.