New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

Staff Editor 2026-06-04
New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

New Zealand Privacy Commissioner finds Manage My Health and Health NZ breached Privacy Act

https://dig.watch/updates/new-zealand-privacy-commissioner-finds-manage-my-health-and-health-nz-breached-privacy-act

Publish Date: 2026-06-04 21:24:00

Source Domain: dig.watch

Manage My Health and Health NZ are found to have breached Privacy Act obligations involving patient health information.

New Zealand Privacy Commissioner Michael Webster has released the findings of Phase 1 of his inquiry into the December 2025 Manage My Health cyber incident, in which sensitive patient information was accessed, stolen, and offered for sale.

The first phase of the inquiry focused on the causes of the breach and accountability. The Commissioner found that both Manage My Health and Health NZ breached Rule 5 of the Health Information Privacy Code by failing to ensure reasonable security safeguards for patient information.

The breach affected nearly 100,000 people and caused serious anxiety and distress for many of those impacted. Around 91% of affected patients were based in Northland, with the Commissioner noting that many were likely to be Māori.

The investigation found that a single failure did not cause the breach, but it was a combination of security weaknesses. Manage My Health had gaps in technical safeguards, lacked systems to detect large-scale access to information, and raised concerns about the quality of its security design and risk management practices.

Health NZ was criticised for not doing enough to ensure that Northland hospital patients’ information would be kept safe before arranging to share it through the Manage My Health portal. The inquiry found that the project team lacked specialist privacy and security expertise, relied too heavily on information from Manage My Health, used poor-quality internal privacy risk assessments, and operated under a contract that was not fit for purpose.

The Commissioner said he intends to issue compliance notices requiring both organisations to complete the remaining necessary work and to demonstrate that their security controls are effective in preventing similar incidents. He also recommended that the Ministry of Health establish a process for…

Source

More Stories

HHS Restructuring and New Enforcement Signal Increased Focus on Privacy, Security, and Health Plans

HHS Restructuring and New Enforcement Signal Increased Focus on Privacy, Security, and Health Plans

Staff Editor 2026-06-05
Trump mandates military AI use while emphasizing oversight and privacy

Trump mandates military AI use while emphasizing oversight and privacy

Staff Editor 2026-06-05
Amazon Ring lawsuit alleges facial recognition privacy violations

Amazon Ring lawsuit alleges facial recognition privacy violations

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy