A warning ignored for two years
When hackers breached Manage My Health at the end of December 2025, they compromised approximately 127,000 patient records by obtaining a single password that unlocked more than 430,000 documents. The platform covers 1.8 million New Zealanders. Auckland University cyber-security expert Dr Abhinav Chopra had identified the exact vulnerabilities two years earlier, including the absence of multi-factor authentication and unencrypted files accessible to multiple administrators. The company did not respond. The Privacy Commissioner had separately warned Manage My Health of security risks six months before the breach.
Dr Chopra’s assessment was blunt: “This is the same pattern. They should have invested. They’ve had two years and these are the exact same areas that have caused them the issue.”
Manage My Health’s own terms of service state the company “can’t guarantee their system is any good or that they’ll fix it, even if it’s foreseeable and they know about it”. That clause tells you everything about where liability sits in this sector.
One breach became a feeding frenzy
Manage My Health was not alone. Canopy Health experienced unauthorised access around the same period. By March 2026, Health Informatics New Zealand was reporting three health cyber breaches within three months, adding MediMap and IntraCare to the list.
Faustin Roman, chief executive of cybersecurity firm Altersec, describes the dynamic plainly: “Once an attacker publicly compromises a sector and demonstrates that defences are weak and consequences are minimal, the broader criminal ecosystem takes notice.” He notes that health data is “the most valuable commodity on the dark web” because a single record contains identity details, NHI numbers, and clinical history that cannot be cancelled like a credit card.
All three breaches exploited holiday periods when organisations operate with skeleton IT crews. This is not sophisticated. It is opportunistic, and it is working.
A $10,000 fine is not a deterrent, it is a rounding error
The regulatory architecture behind this is almost comically weak. New Zealand’s Privacy Act carries a maximum fine of $10,000. Roman calls it “laughable” compared to Australia’s multi-million dollar regime or Europe’s GDPR. Three Privacy Commissioners over 15 years warned successive governments to strengthen penalties. All were ignored. Political analyst Bryce Edwards said the weakness was “not an accident”, noting that the Digital Health Association had lobbied against stronger regulation.
The governance failure extends inside the public system. A Public Service Commission inquiry into the Manurewa Marae incident found Health NZ had data sharing agreements that gave it no power to audit external providers. The commission stated “the gate was left open” for sensitive information to be misused.
Digitisation is accelerating into the gap
Health NZ’s own Health Digital Investment Plan, published in October 2025, confirms the scale of the problem. It found 85% of Health NZ digital systems do not support data sharing, 65% of hospitals still use paper-based progress notes, and over 80% have inadequate network coverage. The plan includes cybersecurity investment, but it is a decade-long roadmap, not an emergency response. As new digital systems are layered onto fragmented infrastructure, the attack surface expands before security improves.
Academic analysis warned against “security theatre: visible but poorly targeted measures that look decisive without necessarily reducing risk”.
Every business touching health data is exposed
The broader threat environment makes complacency dangerous. The NCSC recorded 5,995 cyber incidents in 2024/25, with direct financial losses hitting $12.4 million in Q3 alone, more than double the previous quarter.
The exposure extends well past GP clinics. Technology vendors supplying health platforms face direct reputational and liability risk. Employers offering health insurance or wellness programmes through third-party platforms inherit the same systemic weaknesses. Insurers face growing claims exposure from centralised data architectures where a single breach affects thousands simultaneously. Anyone procuring health IT services should be asking about audit rights, subcontractors, and data custody chains, because the current regulatory framework does not require vendors to answer those questions.
New Zealand’s health sector has been publicly identified as a soft target with minimal consequences. Until the penalty regime is reformed and audit obligations are mandatory, the feeding frenzy will continue. Every business connected to this infrastructure is carrying risk it has not priced.
Sources
- RNZ: Manage My Health data breach – Everything we know so far (2026-01-14)
- RNZ: Manage My Health ignored warning about lax security system – cyber-security expert (2026-01-14)
- BusinessDesk: Manage My Health, Privacy Commissioner warned of security risks six months ago (2026-01-07)
- BusinessDesk: Falling behind – Calls to overhaul Privacy Act after health data hack (2026-01-09)
- RNZ: NZ’s health data hack needs a proper diagnosis and a transparent treatment plan (2026-01-14)
- RNZ: Health NZ leaves sensitive data unsecure, inquiry finds (2026-02-18)
- Health Digital Investment Plan (HDIP) October 2025 (2025-10)
- The Conversation: NZ’s health data hack needs a proper diagnosis and a transparent treatment plan (2026-01-14)
- Newsroom: Stakes are high in Manage My Health breach fallout (2026-01-13)