Fifteen years of warnings from three Privacy Commissioners. Yet zero meaningful reform occurred. That’s the puzzle at the heart of New Zealand’s weak privacy regime, the one that left Manage My Health’s systems so vulnerable.
The pattern is extraordinary: in 2017, Privacy Commissioner John Edwards submitted a 27-page report to Parliament recommending corporate penalties of up to $1 million for serious privacy breaches. He was ignored. In 2024, Deputy Commissioner Liz MacPherson renewed the call, describing New Zealand’s penalty regime as “nothing, nada.” She was ignored. In December 2025, Commissioner Michael Webster called for “urgent reforms” with “multimillion-dollar fines.” He too was ignored. Three successive watchdogs, all warning of the same danger, all dismissed.
My previous column showed how privatisation built a fragile health IT system. This new column explains why we didn’t fix it, even as the failures mounted. The answer lies not in government incompetence but in something more calculated: a sophisticated lobbying ecosystem that successfully reframed patient safety as “red tape” and privacy enforcement as “anti-innovation.” When an industry explicitly lobbies against “burdensome privacy laws” and then a massive breach exposes 127,000 New Zealanders’ intimate health records, we need to ask who government was really listening to. This is corruption by omission — not bribes, but documented choices to prioritise lobbyists over watchdogs.
The Digital Health Association’s playbook
The Digital Health Association (DHA) is the peak body for health IT vendors in New Zealand. Its members include Medtech, Orion Health, and Manage My Health itself — the very company at the centre of this disaster. The DHA claims over 200 members representing “nearly 100% of NZ’s health-related data.” Its board includes representatives from the industry it purports to represent, creating an obvious problem: the lobby group tasked with advocating for the sector is populated by the companies that profit from minimal oversight.
The smoking gun is the DHA’s “Briefing to the Incoming Minister”, published in November 2023 following the last general election. In this document, the DHA explicitly listed “overly burdensome privacy laws and regulations” as a risk to the sector. That’s the key part. The industry body representing health software vendors — including the company that would go on to expose the health records of 127,000 New Zealanders — formally warned Government that privacy laws were too strict. They argued that regulation “hinders the adoption of new technologies” and creates “compliance costs.” They advocated for government to act as “funder” rather than “regulator”. That is, they wanted public money without public accountability.
The language requires decoding. When industry lobbyists say “burdensome,” they mean “expensive”. Introducing things like encryption, penetration testing, 24/7 security monitoring all cut into profit margins. When the lobbyists invoke “innovation,” they mean: don’t slow us down with safety requirements. “Light-touch” is code for self-regulation, and we now know how that ended. “Unnecessary compliance costs” translates simply as: we don’t want to pay for the security that health data deserves.
This is the same rhetoric New Zealand has heard before. The building industry called consents “burdensome” before the leaky homes crisis. The finance sector warned that capital requirements would “stifle lending” before the 2008 crash. Mining companies wanted less regulation prior to the Pike River mine disaster. When industry lobbies against safety regulations, the public pays. The same tragic sequence continues to play out in New Zealand.
The Revolving door
The DHA doesn’t merely lobby from outside; it operates inside the room where policy is made. Helen Lear sits on the DHA Board while working at Health New Zealand. This is the revolving door in action.
This kind of dual role effectively institutionalises regulatory capture: the person who should be pushing companies to meet high standards can be simultaneously advising their lobby on how to reduce “compliance costs” and influence policy. This kind of dual role effectively institutionalises regulatory capture. When a key official wears an industry hat, you can bet the agency’s culture will be friendly to industry concerns. How rigorously will Health NZ hold a vendor’s feet to the fire on security when its own partnerships manager is literally part of the vendors’ advocacy group?
The DHA was a partner in running workshops for Hira, the Government’s national health information platform that was meant to modernise our health data infrastructure. By allowing the industry to co-design the national platform, government ensured that the architecture would favour incumbents like Medtech rather than disrupting monopolies.
When the regulated industry “co-designs” the regulatory framework, capture is complete. And the evidence of that capture is stark: official advice on the Therapeutic Products Act repeal noted that “the Digital Health Association lacked confidence” in the regulator. The government’s response? Repeal the safety law. When a government abolishes regulation because the regulated industry “lacks confidence” in oversight, we have reached the end point of capture.
The Australia comparison
The contrast with Australia demolishes any argument that strong penalties are impractical. In September 2022, Australia suffered the Medibank breach affecting 9.7 million people and the Optus breach affecting 10 million. By December 2022, just eight weeks later, the Australian Parliament had passed the Privacy Legislation Amendment, introducing penalties of AU$50 million for corporations or 30 percent of turnover, whichever is greater. In 2024, further reforms established a three-tier penalty system. When breaches happen, Australia acts.
New Zealand’s parallel universe is damning. In 2019, the Compass PHO breach potentially affected one million people, and there were no fines. In May 2021, the Waikato DHB breach saw over 4,200 records leaked to the dark web. Again, no fine. In December 2022, the Mercury IT breach compromised government coronial files and health records. Once again: no penalties.
Now, in January 2026, Manage My Health has exposed 127,000 patients’ intimate health information, and the maximum fine remains $10,000.
Same types of breaches, same era, neighbouring countries. Australia acted decisively within weeks; New Zealand did nothing across years and multiple disasters. Why the opposite response? In Australia, the industry narrative didn’t dominate. In New Zealand, the “burdensome regulation” framing won. New Zealand’s “high trust model” was defended as superior to “heavy-handed compliance.” The result: New Zealand became what commentators called the “soft underbelly” for data security.
Three commissioners, zero action
The pattern of ignored warnings from our privacy watchdogs constitutes a democratic failure. John Edwards (no relation!) served as Privacy Commissioner from 2014 to 2021. In February 2017, he submitted detailed recommendations to Parliament for corporate penalties of up to $1 million, warning that “privacy enforcement sanctions no longer appear adequate to deal with serious breaches.” His recommendations were not implemented in the Privacy Act 2020. Edwards publicly noted the new law’s maximum fine was “far short of what the privacy commissioner had hoped.” He later became the UK Information Commissioner, with his expertise valued overseas, ignored at home.
Liz MacPherson, as Deputy Commissioner, renewed the call in June 2024, describing New Zealand’s civil penalty regime as “nothing, nada.” Following the Manage My Health breach, she confirmed that the Office of the Privacy Commissioner had warned MMH in June 2025 about authentication vulnerabilities. What could they do? MacPherson told RNZ the OPC could only advise. The frustration was palpable: “We continue to see complacency,” she said.
Michael Webster, the current Commissioner, warned in his December 2023 briefing to the incoming Minister that “some agencies do not care about privacy as they know there are no significant financial penalties.” In December 2025, just before the breach became public, he called for “urgent reforms.” Webster said: “If New Zealand wants to be serious about privacy, then organisations need to be held accountable for their failings.”
The watchdogs did actually bark. Government didn’t listen. Why? Because the other voice in the room (industry) was louder and better resourced. Privacy Commissioners don’t have lobbyists. They don’t fund political campaigns. They don’t provide “expert advice” that happens to align with commercial interests. The DHA does all of these things.
In a functioning democracy, expert warnings from independent regulators should carry weight. When those warnings are systematically ignored in favour of industry preferences, something has gone wrong with the policy process. This isn’t corruption in the traditional sense, it’s capture by narrative.
The Therapeutic Products Act: Industry’s biggest victory
The repeal of the Therapeutic Products Act (TPA) stands as the DHA’s most significant political victory. And it’s the public’s significant loss. The TPA, passed in 2023, was designed to regulate “Software as a Medical Device,” bringing New Zealand into line with international standards. Health software performing therapeutic functions would have required market authorisation, post-market surveillance, and faced significant penalties for non-compliance.
The DHA launched a sustained campaign against it. In March 2023, CEO Jensen urged “risk-based, proportionate legislation” and warned that “broad SaMD regulations could stifle innovation and growth.” By July 2024, the DHA officially supported repeal, stating that “broad SaMD regulation stifles innovation, increases costs, and limits digital health progress.”
The Coalition Government repealed the Act in December 2024. Associate Health Minister Casey Costello’s justification is worth quoting: “The TPA would have led to the overregulation of low-risk products, imposed unnecessary costs and created more barriers to access... We can replace the TPA with legislation that protects consumers without creating unnecessary red tape for industry.”
This echoes DHA language: ”overregulation,” “unnecessary costs,” “red tape.” An analysis by Dylan Mordaunt in the New Zealand Medical Journal in December 2025 documented this as “a successful reframing campaign” by “an advocacy coalition... which prioritised economic deregulation.”
The consequence is that patient portals and health software are now exempt from the pre-market safety approvals required for physical medical devices. The “unnecessary red tape” that Costello removed was the safety net that might have caught Manage My Health’s vulnerabilities.
The Bipartisan capture
This column is not a partisan critique. The current National-led government’s “red tape cutting” agenda aligns perfectly with DHA priorities, the Regulatory Standards Act 2025 enshrines suspicion of regulation in law, and budget cuts to the Privacy Commissioner and Health NZ’s digital capacity came under this Government.
But Labour maintained the light-touch framework through the 2000s and 2010s. Labour didn’t implement Edwards’ 2017 recommendations despite controlling Parliament. Labour didn’t push for GDPR-style penalties despite multiple breaches on their watch. Both major parties proved reluctant to be seen as “anti-business” or “anti-innovation.”
Regulatory capture isn’t conspiracy, it’s just convergent interests. Industry doesn’t need to bribe anyone. They just need to consistently frame the debate in terms that make both major parties uncomfortable with strong enforcement.
“Burdensome regulation” became something no government wanted to be accused of imposing. The result: bipartisan inaction while the watchdogs begged for teeth. This is how New Zealand has failed before. The building industry lobbied against “burdensome” consents, and we got leaky homes. The finance sector fought “excessive” capital requirements, and investors lost their savings. Now health IT vendors lobbied against “burdensome” privacy laws, and 127,000 New Zealanders had their most intimate health details exposed. Powerful industry voices heeded over public advocates. It’s a pattern so familiar it should be classified as a “national pathology”.
Corruption by omission
This isn’t conspiracy theory. It’s documented public record. The DHA’s briefings are online. The Privacy Commissioner’s calls for reform are published. The Therapeutic Products Act repeal is in the legislative record. The revolving door appointments are a matter of fact. The pattern is there for anyone willing to see it.
The Manage My Health breach wasn’t a failure of foresight. It was policy choice: to prioritise industry profits over public safety, to listen to lobbyists over watchdogs, to treat “don’t expose our patients’ data” as burdensome red tape, to starve regulators of resources while refusing to regulate.
The uncomfortable question must be asked: when an industry explicitly lobbies against “burdensome privacy laws,” and then a massive privacy breach occurs, and then government commissions a review but won’t commit to meaningful penalties, the question to be asked is: Who is Government serving?
This isn’t about the criminal hackers. They are criminals, yes, but they exploited a system that was designed to be exploitable. A system where industry successfully lobbied for minimal oversight, self-reported compliance, and penalties so low they’re a rounding error on the balance sheet. The regulatory vacuum was actively maintained by those who profit from it.
Now we know how we got here: privatisation built the fragile system, monopoly concentrated the risk, watchdogs were ignored, and lobbying captured the policy process. The question becomes: what would real reform look like? And who should be held accountable for the system that failed 127,000 New Zealanders? I will try to answer those questions in a following column.
Dr Bryce Edwards
Director of the Democracy Project
Further reading and key sources for this column: