The breach that should have every boardroom’s attention
Manage My Health, a digital health record and appointment platform used across New Zealand’s health system, suffered a data breach that exposed sensitive patient information including names, addresses, dates of birth, and medical histories. The Privacy Commissioner launched a formal investigation into the incident.
The details matter less than the pattern. This was not a small startup running a spreadsheet. Manage My Health was a purpose-built platform operating within one of the most heavily regulated sectors in the country. If a system designed from the ground up to protect sensitive health data can fail at this scale, the question for every business owner holding customer records is not whether it could happen to them, but what it would cost when it does.
The law already changed and most businesses missed it
The Privacy Act 2020, which came into force in December 2020, fundamentally shifted the legal landscape for data handling in New Zealand. Two provisions matter most for commercial operators.
First, mandatory breach notification. When a privacy breach is likely to cause serious harm, organisations must notify both the Privacy Commissioner and every affected individual. This is not optional guidance. It is a hard legal obligation with penalties attached.
Second, privacy by design. The Act requires organisations to build privacy protections into systems and processes from the outset, not retrofit them after something goes wrong. Boards that signed off on a digital transformation programme without embedding privacy architecture into the specification are already exposed.
The penalty provisions under the Act are modest by international standards. But the real commercial damage does not come from fines. It comes from the cascade that follows a mandatory notification.
The liability chain nobody models
A privacy breach at a New Zealand business triggers a predictable sequence that most risk registers do not capture.
It starts with the notification obligation itself. Identifying every affected individual, drafting legally compliant communications, and standing up a response team costs real money before the regulator even picks up the phone. Then comes the investigation. The Privacy Commissioner has formal investigation powers and has shown willingness to use them. A public finding from the Commissioner is published, searchable, and permanent.
Media coverage follows. For businesses in sectors where trust is the product, the reputational hit is not a temporary embarrassment. It is a structural change in how customers, partners, and investors assess the organisation. Health providers, financial advisers, law firms, accountants, HR platforms, insurers – any business where the relationship depends on the client believing their information is safe faces an existential risk the moment that trust is broken.
Then come the remediation costs. Security audits, system upgrades, legal advice, potential litigation from affected individuals, increased insurance premiums, and the opportunity cost of senior leadership spending months managing a crisis instead of running the business.
The Health and Disability Services (Safety) Act 2001 adds a further layer for health sector operators, requiring appropriate systems to protect patient information. Non-compliance can trigger enforcement action and public findings that compound the commercial damage.
This is not an IT problem
The persistent mistake in New Zealand boardrooms is treating data privacy as a technology issue. It is delegated to the IT team or the compliance function, reviewed once during a product launch, then filed away until something breaks.
That approach was defensible before December 2020. It is not defensible now. The Privacy Act 2020 places obligations on the organisation, not the IT department. Directors who would never tolerate an unmanaged financial risk on the balance sheet are routinely signing off on data practices they have not stress-tested, do not fully understand, and have never modelled for downside exposure.
The Manage My Health breach is a case study in what happens when a regulated, specialist platform operating in a high-trust sector gets it wrong. For the thousands of New Zealand businesses holding customer names, addresses, financial details, employment records, or health information with far less sophisticated systems, the exposure is arguably greater.
What directors should do this week
Privacy governance belongs on the risk register alongside financial and operational risk. That means three things. First, know what data you hold, where it sits, and who has access. Second, stress-test your breach response plan, because the mandatory notification clock starts ticking the moment you become aware of a breach, not when you have figured out what happened. Third, treat your next board meeting as the deadline to answer a simple question: if our customer database was exposed tomorrow, what would it cost us?
The businesses that answer that question honestly will spend money on prevention. The ones that do not will spend far more on response.