New Zealand Health Minister directs formal review into cyber breach
Health Minister Simeon Brown has commissioned a comprehensive review into the cyber attack on ManageMyHealth, a key digital health platform used by patients and healthcare providers. The move aims to uncover what caused the breach, evaluate existing data protections, scrutinize the incident response, and outline concrete steps to prevent a recurrence.
The terms of reference for the review require investigators to examine the root causes of the breach, assess how personal health information was affected, and determine whether current safeguards were sufficient or whether gaps existed that could be exploited by attackers. In addition, the review will evaluate the effectiveness of the incident response, including containment, notification, remediation, and the support offered to affected users.
Minister Brown stressed that patient safety and data privacy are non-negotiable priorities. “I know this breach has caused concern among patients and providers who rely on ManageMyHealth for timely access to medical information,” he said. “This review will be thorough and independent, ensuring we learn what happened and how to strengthen protections across the health sector.”
The review will look at technical controls such as encryption, access controls, and monitoring systems, as well as governance measures like data handling policies, vendor risk management, and staff training. It will also assess whether the breach was the result of a single vulnerability or a combination of factors, including potential misconfigurations, phishing attempts, or gaps in third-party risk management.
Stakeholders across the health system have welcomed the initiative. Primary care practices, hospitals, and patient advocacy groups have voiced a desire for transparency and accountability. The review is expected to consider recommendations for legislative or regulatory changes, as well as practical improvements that can be implemented quickly to bolster resilience.
In recent months, cyber threats targeting health data have intensified globally, underscoring the need for robust security architectures in digital health platforms. The ManageMyHealth incident, while still under investigation, has heightened awareness about data protection practices, especially for systems that store sensitive health records and enable remote access for clinicians and patients alike.
The review will also examine communication protocols to ensure timely and clear messaging during future incidents. An important aim is to minimize disruption to patient care while investigators determine the full scope of the breach and mitigation strategies. Authorities have indicated that findings and recommendations will be published, with timelines to be announced as the review progresses.
As the health sector advances toward broader digital integration, the emphasis on privacy-by-design and proactive risk management will be central to policy discussions. The outcome of this review could influence security standards for digital health apps, data sharing agreements, and certification requirements for health IT vendors—an outcome welcomed by clinicians seeking a safer, more reliable system for patient information.
What happens next?
The review is expected to involve independent cybersecurity experts, data protection authorities, and representatives from healthcare providers. It will deliver a structured set of recommendations, including concrete timelines, funding needs, and governance changes necessary to reduce the likelihood of future breaches.
Patients and clinicians alike can anticipate more transparent reporting on any security incidents, new safeguards, and potentially enhanced access controls to protect sensitive health information without compromising the delivery of care.
