Why don’t we have a single, secure, government-run system for health records? Why are the intimate medical details of 1.85 million Kiwis scattered across private servers owned by one man? The answer doesn’t lie in technology. It lies in decisions made thirty years ago.
As I explored in my previous column, Vino Ramayah’s one-man empire of Manage My Health didn’t emerge by accident. It was cultivated by policy choices that treated health data as a commodity and oversight as an impediment. The MisManageMyHealth breach wasn’t bad luck or criminal genius. It was the predictable outcome of three decades of market-led health reforms that privatised infrastructure, fragmented responsibility, and adopted a regulatory philosophy that, in bureaucratic language, translates simply as: “we don’t check.”
This is the story of how successive governments, seduced by market ideology, built a system designed to fail.
The 1991 turning point
The roots of this disaster trace back to the Bolger Government’s radical health reforms, driven by Finance Minister Ruth Richardson’s zeal for market discipline. The 1991 “Green and White Paper” introduced the purchaser-provider split: Regional Health Authorities would “purchase” services, while hospitals became Crown Health Enterprises expected to run like profit-driven businesses. GPs were firmly cast as independent private businesses contracting to the state. Healthcare was no longer a unified public service. It was a competitive marketplace.
One critical thing fell through the cracks: digital infrastructure. Under the old Area Health Boards, patient records could be centrally coordinated. But once the system fractured into purchasers and competing providers, the state retreated from its role as system architect. The government chose not to build a national health records platform. Instead, it left the job to the market, assuming private enterprise would innovate solutions.
The underlying assumption was that competition and private initiative would yield the best outcomes. But in practice, it yielded fragmentation. Dozens of different software systems proliferated across the country. Patient data was siloed in incompatible databases because no central authority mandated a common approach.
In practice, each GP clinic and hospital adopted its own software. No one created the single, secure public record system that patients assumed must exist. Health data became siloed and jealously guarded. After all, in a competitive model, a provider’s patient list was a commercial asset, not a shared public resource. If you moved from Hamilton to Auckland, your new doctor often couldn’t access your records without an old-fashioned fax. That was by design. The guiding ideology was that market efficiency would beat state control. It didn’t. Instead, we got dozens of incompatible systems and a chronic inability to share vital information across the country.
The Rise of Medtech and the vendor trap
Rather than a thriving competitive ecosystem, the market naturally consolidated into a private monopoly. Medtech, founded in 1989, rode the wave of GP clinics needing new software. It steadily bought out or edged out rivals. By around 2010, Medtech controlled roughly 75 to 80 percent of GP practices. In our small market, that’s hegemony.
Manage My Health was born from this near-monopoly, launched in 2008 as an add-on for Medtech’s practice management system. Because it was tightly integrated with the existing software, it became the default digital front door for most clinics. This wasn’t a public health initiative. It was a commercial product piggybacking on Medtech’s dominance.
The Manage My Health portal offered what the public sector failed to: a way for patients to book appointments online, request prescription refills, message their doctor, and see parts of their records. It was convenient and it was innovative. And it was entirely private.
The funding mechanism is important to understand. Public money flows from taxpayers to the Ministry of Health, to Primary Health Organisations, to GP practices, and then to private software vendors. Yet when the breach happened, the Ministry claimed “no regulatory authority” over the platforms this funding chain enables. As one official put it, Manage My Health “is responsible for managing and securing its own systems.” The state pays for the system but washes its hands when it fails.
Meanwhile, patients are captive. They can’t choose a more secure portal without changing their GP, hardly feasible in regions suffering GP shortages. When competition dies, security becomes a cost centre, not a priority. Without market pressure, why invest in better protections when nobody can leave anyway?
The “High trust” model as abdication
If market fragmentation set the stage, the “high trust model” of governance pulled the rug out from any oversight. This innocuous phrase is Wellington-speak for a hands-off approach where authorities simply trust providers to do the right thing, rather than actively verify or enforce standards.
Successive governments have elevated this into a virtue. It’s often talked about as avoiding “burdensome red tape” and fostering innovation. In reality, it has too often meant abdicating the basic duties of regulation.
As Chris Trotter writes today: “For the past forty years this country has preached and practiced the gospel of ‘light-handed regulation’ and despite a tragic series of disasters — Pike River being the costliest in lives; Leaky Homes the costliest in dollars — successive governments have kept the faith.”
This isn’t unique to health IT. It’s a pattern of New Zealand governance that has failed repeatedly. In the 1990s building industry, deregulation and a “trust the builders” ethos led to the leaky homes crisis, with private certifiers signing off on rot that cost billions to remediate. The Covid Wage Subsidy Scheme was designed as a “high trust” mechanism to expedite payments; it resulted in significant integrity failures – billions were paid out in a wage subsidy scheme on little more than companies’ say-so, leading to significant fraud and large profitable firms taking subsidies they didn’t need.
Yet health IT still operates this way. The Ministry issued security guidelines like the HISO 10029 framework, but compliance was self-reported. Vendors effectively marked their own homework, attesting to security standards without independent verification. The last security review that may have included Manage My Health was conducted around 2018, a lifetime ago in cybersecurity terms. Te Whatu Ora admitted it didn’t even have access to that review.
The state assumed that because Manage My Health said it was secure, it was secure. When independent auditors examined the system after the breach, they reportedly gave it a “D” grade on basic security measures. Trotter asks the obvious question today: “If ever there was a need for heavy-handed regulation, then surely, isn’t it in relation to people’s confidential health information?”
Austerity compounds the crisis
This structural vulnerability has been compounded by recent budget cuts. In 2024, Health New Zealand clawed back over $330 million in digital health funding. The digital services workforce was gutted, with 23 roles cut, representing 28 percent of IT staff. Internal documents warned of a looming “funding cliff” for cybersecurity in 2026, with officials explicitly stating that “vulnerabilities will continue to grow” without sustained investment. Those warnings went unheeded.
The most high-profile casualty was the Hira programme – a multi-year effort that was supposed to create a nationally integrated health record system (essentially, to finally solve the fragmentation by connecting all those siloed databases). Hira had just finished its first phase, and hopes were high that it would bring New Zealand closer to the likes of Denmark or Estonia, where unified digital health records are a reality. Instead, Hira was put on “pause” indefinitely due to funding cuts. There was no Plan B announced to address the patchwork of systems it aimed to fix.
This is the false economy of doing it on the cheap. Successive governments wanted the private sector to provide the infrastructure so they didn’t have to fund it properly. But when that private infrastructure fails catastrophically, the public bears the cost anyway. The irony is bitter: a privately-operated system, still funded by public money, but with all risk transferred to patients and taxpayers. Privatised profits, socialised risks.
The Democratic cost
Every policy choice from 1991 onward built toward this breach. Privatise infrastructure, and security responsibility fragments. Create monopolies, and competitive pressure to invest in security disappears. Adopt “high trust,” and verification evaporates. Cut public capacity, and reliance on failing private vendors increases.
This is bipartisan failure. National championed the original market model in the 1990s. Labour largely maintained it through the 2000s and 2010s. Both major parties embraced the idea that private tech vendors and light-touch oversight could deliver what was needed. Neither party in power was willing to spend the capital, political or financial, to build robust public systems or regulate private ones strictly. The result is a hollowed-out state: the form of a modern healthcare system, but without public control where it actually matters.
New Zealanders were encouraged to use online health portals. In some cases, it’s practically required to engage fully with your GP. But patients were conscripted into a system they didn’t choose and cannot escape. The public never really consented to having their most intimate data stored with a private third-party vendor operating in a regulatory void.
That is the real democratic deficit. In a healthy democracy, critical public infrastructure should be under some form of public oversight or control, or at least subject to strict regulation in the public interest. Here, a critical piece of infrastructure – our health records – was allowed to operate in a twilight zone of private monopoly. When it failed, the state’s first reaction was to wash its hands (“It’s a private company’s responsibility”). The breach has taught us that this model doesn’t just fail in theory; it fails spectacularly in practice.
The lesson from this saga is that some infrastructure is too important to leave to the whims of the market. Our health data should be treated as a public trust, with the state accepting ultimate responsibility for its safety. That requires abandoning the dogmas that led us here: that private markets always know best, that minimal oversight is fine, and that public accountability is an optional extra.
But privatisation alone didn’t keep the system broken. That required active lobbying to ensure regulators stayed weak. Next: the industry machine that made “burdensome regulation” a dirty phrase in health IT.
Dr Bryce Edwards
Director of the Democracy Project
Further reading and key sources for this column: