When hackers stole 430,000 medical documents from Manage My Health on December 30, the initial response followed a familiar script. A private company expressed regret. A minister ordered a review. And 127,000 New Zealanders were left wondering whether their most intimate health records would end up on the dark web.
But this is not just another cybersecurity incident. Strip away the technical jargon and what you find is a case study in everything that has gone wrong with how New Zealand is governed: the hollowing out of state oversight, the outsourcing of public functions to private near-monopolies, the chronic underfunding of regulators, and a political class that treats accountability as someone else’s problem.
I’ll be writing a series of columns examining this scandal in depth. Because the Manage My Health breach – let’s call it MisManageMyHealth for accuracy – isn’t really about ransomware or passwords. It’s about power. And it’s about a system that has been systematically designed to avoid responsibility when things go wrong.
What happened, and who is affected
The facts are stark. A hacker using the alias “Kazu” accessed a module of the Manage My Health portal containing clinical documents, including discharge summaries, specialist referrals, mental health records, and personal information dating back to 2017. The ransom demand was US$60,000. Around 127,000 patients are affected, roughly 7% of the platform’s 1.8 million registered users.
CEO Vino Ramayah admitted the attackers got in “through the front door” using a valid password. That phrase should alarm anyone who has entrusted their health information to this system. We’re not talking about sophisticated state-sponsored hackers cracking military-grade encryption. We’re talking about what appears to be a basic security failure at a company holding some of the most sensitive data in New Zealand.
The scale and sensitivity of this breach probably make it New Zealand’s worst privacy disaster to date. Cybersecurity expert Daniel Ayers described the hack as “catastrophic on the New Zealand scale”, while Andrew Ng called it “probably the worst data breach” he’d seen in New Zealand.
The potential harms are immense. Think about what’s in these files. Psychiatric diagnoses. Sexual health information. Details of domestic violence. Records of abortions. The intimate confessions people make to their doctors believing, as they should, that such information is sacrosanct.
People could be blackmailed over sensitive diagnoses or traumatic histories. Identities could be stolen. As one furious patient told RNZ, she is “one part terrified, one part really angry, like ragingly angry” that details of her past sexual assault – secrets she hasn’t even told some family members – might be made public. This isn’t just a bureaucratic failure. Real people will suffer real consequences.
Why this is a democratic scandal
Here’s what should enrage us. Six months before the hack, in June 2025, an anonymous tipster emailed both the Office of the Privacy Commissioner and Manage My Health warning that names, email addresses, and passwords were exposed on the platform. Deputy Privacy Commissioner Liz MacPherson confirmed the company was notified and investigated. The OPC advised extending additional protections to all accounts.
Did that happen? We don’t know. What we do know is that by December, hackers walked in through the front door.
This wasn’t unforeseeable. People warned about it, and it was allowed to happen anyway.
Pointing the finger at the company alone is too easy. The real scandal is how our public system allowed this to happen. New Zealand’s government agencies and regulators utterly failed to ensure basic protections were in place. There were no mandatory security standards that could have forced Manage My Health to use better authentication or encryption. No government body was auditing the portal’s safeguards, even as it became a core part of our health infrastructure. In fact, when asked, the Ministry of Health claimed it had “no regulatory authority” over Manage My Health’s operations
Health Minister Simeon Brown was quick to label the breach “unacceptable” after the fact, but in the same breath he insisted that Manage My Health being a private company meant data security was solely its responsibility. That hands-off approach speaks volumes. It’s as if our leaders crossed their fingers and hoped a private firm would do the right thing, and then acted surprised when things went horribly wrong. This is governance by wishful thinking.
New Zealand has been heading toward a disaster like this for years. Successive Privacy Commissioners, IT experts, and concerned journalists have all warned that our data protection regime is woefully inadequate – but those warnings were ignored.
As journalist Rob Stock (whose own health records were caught up in the hack) wrote this week, New Zealand has been “sleepwalking towards a privacy breach like this one.” Now that it’s happened, the ugly truth is laid bare: we have a hollowed-out state when it comes to safeguarding data. The watchdogs lacked bite, the regulations lacked teeth, and the political will to strengthen them was missing.
This weak regulatory culture didn’t start with the current government, nor with the previous one – it’s bipartisan and decades in the making. Politicians of all stripes have preferred a light-touch, pro-business approach, even as data has become the new gold. Attempts to modernise privacy laws have been half-hearted at best.
When you hollow out the state’s protective functions, you get crises like this. It’s the same story as with building regulation, or workplace safety. If you cut oversight, leave it to the market, and hope for the best, until inevitably something blows up.
That’s why the MisManageMyHealth debacle is so important for us to learn from. This is what happens when the state abdicates its protective role. The government funds the system, encourages patients onto digital portals, and then disclaims any responsibility for what happens to their data.
What this series will cover
Over the coming week or so, I’ll examine this scandal from multiple angles. Not because I want to pile on a company that’s already facing public fury, but because the Manage My Health failure illuminates problems that go far beyond one breach.
I’ll be looking at the regulatory vacuum: how New Zealand ended up with essentially no oversight of public-private health data platforms, and why the “high trust model” beloved of our public sector is really a recipe for disaster.
I’ll examine our toothless privacy laws: why the maximum penalty of $10,000 under the Privacy Act is a joke compared to Australia’s $50 million, and why successive Privacy Commissioners have begged for reform only to be ignored.
I’ll trace the history of how we got here: the privatisation of health IT, the rise of Medtech’s monopoly, the corporate structure that placed 1.8 million New Zealanders’ health records under the control of a company owned by one man.
I’ll investigate the lobbying that shaped policy: how industry groups like the Digital Health Association pushed for a regulatory environment that prioritised “innovation” over patient protection.
And I’ll ask what must change: because reviews that sit on shelves don’t protect anyone.
A Request to readers
This story is still developing. Some angles will require more investigation than I can do alone.
If you have information about how Manage My Health operated, how contracts with health providers worked, what GPs were told about security, or how the company responded to concerns, I’d like to hear from you. If you’ve worked in health IT or privacy regulation and have insights into how this system was allowed to develop, your perspective would be valuable.
You can reply directly to this email, or leave comments on the Substack post. What angles need further investigation? What questions should I be asking?
The doctor-patient relationship is supposed to be sacrosanct. Manage My Health’s Ramayah said so himself, even while admitting his company “dropped the ball.” But privacy isn’t just about individual relationships. It’s about whether citizens can trust the systems their government has allowed to develop. Right now, that trust is in tatters.
This breach was predictable. It was predicted. And the system that was built made it inevitable.
For those interested, below is an outline of my intended columns on Manage My Health, and a reading list of material on the topic.
Dr Bryce Edwards
Director of the Democracy Project
Proposed MisManageMyHealth columns: