The Office of the Privacy Commissioner (OPC) has today released the findings of Phase 1 of its inquiry into the December 2025 Manage My Health (MMH) cyber incident. The breach exposed the sensitive health information of 99,416 New Zealanders and is one of the largest known breaches of sensitive personal information in New Zealand's history. The OPC has found that both MMH and Health New Zealand breached Rule 5 of the Health Information Privacy Code 2020 by failing to maintain adequate security safeguards. The OPC intends to issue compliance notices to both organisations under section 123 of the Privacy Act.
Key takeaways
For privacy officers, in-house legal teams and others responsible for managing health information and third-party technology arrangements, the inquiry's findings carry some important practical lessons regarding due diligence, privacy by design, the importance of detection to prevent cyber incidents, and the need for fit for purpose contracts. In our view though, the OPC's recommendations about reform to the Privacy Act are of particular interest.
"The status quo is unrealistic and unnecessarily burdensome"
The general position under the Privacy Act is that it applies to agencies or organisations who collect and hold personal information, and not to the suppliers that they engage to manage personal information on their behalf. In that context, the OPC has commented that, to be certain that security is adequate, GP practices or other health providers have to check security documentation and contracts, or get independent advice to assess the documentation that suppliers provide. The OPC's view is that this approach is unrealistic and unnecessarily burdensome as it leads to duplication, uncertainty and unnecessary expense.
In that context, the OPC calls on central government to do more to improve security confidence in health sector suppliers, who are an increasingly important part of the health care system. As an alternative to a decentralised system, the OPC recommends that New Zealand adopts the approach taken by Australia to introduce a registration system for health organisations who wish to access electronic health records including organisations offering repository or portal services.
"It should not be that complicated"
The OPC noted that the MMH inquiry has revealed weaknesses in the way in which the Privacy Act allocates legal responsibility for security where third party providers are involved. In its view, there is an opportunity to simplify the settings and better meet consumer and regulatory expectations.
In particular, the OPC recommends organisations should have direct liability for their security settings under the Privacy Act, including when they are providing services to others. This would simplify the section 11 analysis under the Privacy Act and mean that agencies (particularly small businesses) would not have to purely rely on contractual remedies (if any) if the third parties they engage fail to have reasonable security settings in place.
In our view, clarifying an agent's (or a processor's) responsibility for information security (or, ideally, their responsibility under the Privacy Act more generally) would be a welcome and helpful change to align us with our international counterparts and to clarify the application of the Privacy Act.
Compliance notices
In this context, it is worth noting that, as we discussed in our March 2026 update on New Zealand's cyber security direction, the OPC's enforcement toolkit remains relatively limited. While the OPC intends to issue compliance notices in this case, compliance notices cannot attract civil penalties under the current law. However, the Cyber Security Action Plan 2026-2027 has tasked the Ministry of Justice with advising on a potential civil pecuniary penalty regime under the Privacy Act, which would represent a significant shift in the regulatory landscape.
