![CIO STUDIO - HORIZONTAL WORDMARK GREEN LOGO [TRANSPARENT BACKGROUND].png](https://static.wixstatic.com/media/82946b_1b179689a47d4c47b4d4927c90833a83~mv2.png/v1/crop/x_2,y_66,w_745,h_144/fill/w_136,h_26,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/CIO%20STUDIO%20-%20HORIZONTAL%20WORDMARK%20GREEN%20LOGO%20%5BTRANSPARENT%20BACKGROUND%5D.png){kind=small}
The Report into the Manage My Health Breach
- Ray Delany
- 2 days ago
- 4 min read
In the same week that the government released the Budget, something else quietly dropped online. We’ve written this analysis because we think the downstream implications from these reports are significant and far-reaching.
The first is the Office of the Privacy Commissioner's Phase 1 report into the Manage My Health (MMH) cyber-security breach. The second is the Ministry of Health's Phase 2 Cyber-security Review. They come from different perspectives, but the findings are remarkably consistent, and the recommendations are highly likely to be adopted.
What we now know
The breach affected 99,416 patients. Around 91% were in Northland, which means the impact has fallen disproportionately on Northland Māori. The stolen information included hospital discharge summaries, patient-uploaded records, and personal identifiers; names, NHI numbers, dates of birth, contact details. For many of the people affected, the most distressing part has been not knowing what was taken, and in some cases not knowing they had an MMH account at all.
The OPC has found that both MMH and Health NZ breached Rule 5 (reasonable safeguards) of the Health Information Privacy Code. Compliance notices are coming for both. The Ministry's review reaches the same destination by a different route: it focuses on technical and governance maturity, but essentially comes to the same conclusions on the underlying issues.
It wasn’t surprising to see both reports indicating that privacy controls existed on paper but weren’t operating in practice. Governance didn't include the right expertise. Documentation hadn't been tested or independently validated. Vendor assurances were treated as a substitute for genuine assessment. The OPC describes one privacy impact assessment as appearing to be "a tick on the checklist for signoff", and the Ministry's review describes similar patterns of form without substance throughout.
What this means for health organisations
If you're running a practice, a clinic, a PHO, or an NGO that uses third-party digital services these reports are significant for you. Tick-box compliance will not be acceptable. The work has to be done properly to ensure that the full extent of risk has been carefully considered and mitigated.
The OPC noted that GP practices avoided direct liability in this case "largely as a question of luck." That is a remarkable statement from a regulator and indicates the degree to which these risks can be poorly understood.
A few things are now settled that perhaps weren't before:
You are responsible for the third parties you engage.
Not in a vague, philosophical sense but in a very-specific rule-based sense (Rule 5(1)(b) specifically). Taking reasonable steps means more than reading a vendor's brochure or accepting their ISO certificate at face value. The recommended centralised verification process will help organisations with this.
"Reasonable" now has published reference points.
The OPC has explicitly drawn on the NCSC Minimum Cyber-security Standards, the Health Information Security Framework, ISO 27001, and NIST in interpreting what Rule 5 requires. These standards will be the minimum expectation in the future.
Documentation isn't compliance.
A PIA you wrote because the process required one. A policy nobody has looked at since it was signed off. A control that's listed in a register but hasn't been tested. None of these will do the work you need them to do if something goes wrong.
What everyone should do
There are a few practical things worth doing right now:
Take stock of your third parties. Know which services you use, what information sits with them, and what your contracts actually say. Many of those that I’ve looked at in recent years would not pass the standard now being expected.
Look at your contracts with fresh eyes. Breach notification clauses, audit rights, restrictions on unilateral changes to vendor terms; these matter more than they used to.
Be honest with yourself about your PIAs. If they're generic, vendor-supplied, or written close to signoff, treat them as a starting point rather than a completed piece of work.
Check how patient accounts get created. The MMH situation revealed thousands of accounts that patients didn't know they had. That's a consent and authorisation issue that sits with the practice, not the vendor.
Start thinking about how to make change. A Ministry-led centralised verification programme for health vendors is the most likely near-term policy response, and that's a good thing. But it won't arrive overnight, and collective due diligence at the organisational level will help in the meantime.
Above all, take this seriously. The standards being applied are already in place, and the regulator has signalled it will use them. Waiting for the next round of legislative change isn't the right posture. The expectations are clear enough now, and action is warranted given the time involved in making change.
A final thought
The thing I keep noticing in conversations across the sector is how much of this work has fallen on people without the time, funding, or specialist support to do it properly. That's a real constraint, and I don't think the answer is to demand that every small practice become a privacy and security expert overnight. But the OPC has made it clear that this will not be an acceptable excuse. MMH is tiny in comparison to Health NZ but both are being subjected to the same level of rigour. Size doesn't reduce what's expected of you, it just changes what proportionate compliance looks like.
The standards are now public, and the regulatory expectations are clearer than they've ever been. I’ve written before about the duty we all have as leaders to take our responsibilities for this stuff seriously. It turns out the regulator agrees with me.
If you'd find it useful to talk through what these findings mean for your organisation, or where to begin, the CIO Studio team is here and happy to help.
CIO Studio provides independent digital strategy and leadership for New Zealand's health, NGO, and community organisations. If you want to talk to an expert about your digital strategy, get in touch for a no obligation conversation.
Comments