Privacy commissioner to monitor security upgrades after Manage My Health hack
Privacy commissioner to monitor security upgrades after Manage My Health hack
Publish Date: 2026-05-26 13:00:00
Source Domain: www.rnz.co.nz
Manage My Health didn’t have adequate security controls, the Privacy Commissioner has found.
Photo: RNZ / Finn Blackwell
Health NZ and its patient portal Manage My Health “failed in their responsibilities” to have adequate security controls when hundreds of thousands of medical files were stolen in a cyber attack, the Privacy Commissioner has found.
Described as one of the country’s biggest cybersecurity incidents, the hack obtained access to sensitive health data held by privately owned patient portal Manage My Health in December last year.
Reviews were subsequently commissioned by Health NZ, Ministry of Health and the Office of the Privacy Commissioner.
In findings released on Wednesday, commissioner Michael Webster found both Manage My Health and Health NZ had deficient security safeguards in place to protect patient information.
Both organisations had breached principle 5 of the Privacy Act, Webster said.
“My inquiry has found that there were several problems with how patient information was managed. This incident released the sensitive health information of nearly 100,000 New Zealanders and has caused serious anxiety and distress for many people.”
More than 70 percent of those impacted by the Manage My Health breach were based in Northland.
“The reason so many Northland patients were caught up in the breach was because of a unique arrangement between Health NZ and Manage My Health in Northland involving hospital discharge information. It was not happening in hospitals in the rest of the country,” Webster said.
The commissioner was due to issue compliance notices to Manage My Health and Health NZ, a move utilised for the most serious privacy breaches.
“While both Manage My Health and Health NZ have already made changes to their security settings, compliance notices will formally require both of them to complete any necessary remaining work and demonstrate to my satisfaction that all changes are working effectively,” Webster said.
“In particular,…
