Vino Ramayah, the CEO of Manage My Health, couldn’t have summed up the contradiction at the heart of this mess any better. In one interview, he told RNZ last week that the doctor-patient relationship was “sacrosanct”, insisting his company would never compromise it. Then he admitted they’d “dropped the ball” on security, allowing hackers to stroll in “through the front door” with a stolen password. This wasn’t some elaborate cyber espionage; it was a basic failure that exposed 430,000 medical documents belonging to 127,000 New Zealanders.
But let’s not stop at the apologies. In my last column, I examined how our watchdogs failed to bark because they’d been starved and muzzled by design. Now it’s time to look at who built this house of cards in the first place. Who is Manage My Health, really? And how did a single company come to hold such unchecked power over our most intimate health data? The answer reveals a story of monopoly capitalism at its worst: a structure rigged for private gain, with the risks dumped on the public. This breach wasn’t random bad luck. It was baked into the architecture.
The One-man empire
Dig into the corporate records, and Manage My Health starts to look less like a robust health guardian and more like a personal fiefdom. The platform is wholly owned by Cereus Health Group, which in turn is entirely controlled by Vino Ramayah himself. He’s not just the CEO; he’s the owner, the chairman, and one of only two directors on the board. The other director appears to share his address, suggesting this isn’t exactly a model of diverse governance.
With just 21 staff listed in company databases, this lean operation was entrusted with the sensitive records of 1.85 million Kiwis — over a third of the population. It’s a level of concentration and informality that would raise eyebrows in any critical infrastructure firm, let alone one managing intimate medical information.
The backstory adds layers to this concentration of power. As Nikki Macdonald detailed in her Post article, the roots go back to 1989 when engineer Robin Churchman founded Health Technology Ltd. By 2000, Ramayah (a lawyer trained in Singapore and London) had joined as a director and soon took over as CEO. The company evolved into Medtech Global, which came to dominate GP practice management software in New Zealand. In 2020, Ramayah sold Medtech to Australian investors but carved out Manage My Health, spinning it into his private Cereus empire.
What does this mean in practice? Independent audits paint a worrying picture. BlackVeil Security gave the platform a “D” grade overall, noting basic lapses like improperly configured DMARC — a simple email security measure. Vimal Kumar from Waikato University’s Cyber Security Lab pointed out that if something as straightforward as DMARC wasn’t set up right, “what other things were not being done properly?” It’s a fair question for a company handling everything from psychiatric notes to sexual health records.
From a democratic standpoint, this setup is troubling. Public health entities face scrutiny under the Official Information Act and Ombudsman oversight. But as a private limited liability company, Manage My Health operates in the shadows. No mandatory transparency reports, no public board meetings, no requirement to disclose security investments.
Ramayah’s dual role as owner and operator creates inherent conflicts: why pour money into top-tier security when there’s no one forcing your hand? This isn’t innovation; it’s a recipe for complacency. And when the breach hit, it was patients, not shareholders, who paid the price.
The Monopoly machine
If the corporate structure raises red flags, the market dominance seals the deal. Medtech’s practice management system controls roughly 60-75% of GP clinics in New Zealand, according to industry estimates. Manage My Health became the default patient portal for those practices, creating a captive audience. When Ramayah sold Medtech but kept the portal, he inherited that locked-in user base. Patients can’t shop around for a better-secured alternative without switching doctors entirely.
Dr Luke Bradford, president of the College of GPs, explained the bind clearly: “Manage My Health is contracted to the Medtech system which supplies 60% of New Zealand’s health clinics... practices can’t arbitrarily switch to another provider.” It’s vendor lock-in at its finest, turning health data into a moat that protects the company from competition. And without competition, why bother with expensive upgrades like mandatory multi-factor authentication?
Then there’s the “zombie data” problem. Manage My Health doesn’t automatically purge accounts when practices switch systems or patients move on. Some victims of this breach had data from years ago, tied to old enrolments. The company hoards information like an asset, retaining it indefinitely. Even deceased patients’ records were compromised, forcing practices to contact next of kin.
This accumulation isn’t accidental; it’s profitable. But it amplifies risks. Andrew Swanson-Dobbs, CEO of WellSouth, didn’t mince words: “We’ve now lost public trust in the use of portals because of a private company’s inability to invest in security.” He went further, saying he had “less than 0% confidence” in the platform post-breach. Journalist Rob Stock called it “sleepwalking” complacency, bred by monopoly power. When you’re the only game in town, security becomes a cost centre, not a priority. No rivals mean no pressure to innovate or fortify. The result? A brittle system where one weak point exposes millions.
The Offshore question
Adding to the fragility is Manage My Health’s global footprint. The company has offices in New Zealand, Australia, and India, with much of the development work outsourced to InLogic Technologies in Chennai. InLogic bills itself as the “technology partner behind Manage My Health since its inception,” and Ramayah is listed as a director and shareholder there. This isn’t just back-office support; it’s core IT management handed overseas.
Questions about supply-chain security raise serious questions. If Indian developers have administrator access to New Zealand patient data, that’s a vulnerability stretching beyond our borders. Data might be stored on local servers, but if the “keys” are in Chennai, what good is that? Sovereignty concerns kick in: New Zealand regulators can’t easily audit foreign entities or enforce standards.
The breach dump raised even sharper alarms. Hackers’ samples reportedly included a 2023 credit card statement from InLogic, suggesting financial docs mingled with patient files. If true — and this needs verification — it points to sloppy boundaries in a shared system. Worse, it’s a smoking gun suggesting that the “front door” into our health records might have been in Chennai all along.
Offshore setups cut costs, sure, but they expose data to remote risks: a compromised laptop in India could unlock Kiwi medical records. As one analyst noted, this makes “data residency” claims ring hollow. In a world of global threats, why build such dependencies without ironclad controls?
The arrangement also creates a blurry line of accountability. Did New Zealand authorities vet or certify the security practices of InLogic? (All signs point to no – there’s no evidence of any government agency ever auditing the code or infrastructure of MMH, let alone its offshore contractors.)
Would Indian contractors be subject to our Privacy Act or liable under our laws if they mishandled data? Unlikely. And yet they might have the ability to browse through patient records as part of their work. The lack of transparency around this is its own scandal – we simply wouldn’t know about the extent of offshoring if the hacker’s data dump hadn’t accidentally revealed that InLogic credit card statement.
Ramayah has been largely silent on the India connection in public, but the concern is obvious: if your IT is outsourced to India, your security is outsourced there too. The breach has made one thing clear – it’s cold comfort to say data is “held in New Zealand” if the control over that data can be exercised from offshore.
Privatised profits, socialised risks
Pull the threads together: A one-man company, a captive market, minimal governance, skeleton staffing, offshore development, and security graded “D”. This is not an organisation that failed despite its best efforts. It is an organisation structured in a way that made failure inevitable.
The business model was lean by design. Offshoring development to India saved costs. A 21-person team maximised margins. The monopoly position eliminated competitive pressure to do better. When the predictable breach came, it wasn’t the owner who paid the price. It was 127,000 patients whose medical histories, mental health records, and sexual assault documentation now sit in criminal hands.
This is privatised profits, socialised risks. The lean operation extracted value for years. The public bears the cost of its failure. GP practices funded by taxpayers paid fees to Manage My Health. When security collapsed, the Ministry of Health, Police, and Privacy Commissioner picked up the investigation bill. Patients bear the psychological burden.
But this monopoly didn’t emerge in a vacuum. It was enabled by decades of policy choices: the privatisation of health IT infrastructure, the “high trust” regulatory model that asked no hard questions, and the lobbying that kept mandatory security standards off the table.
As someone who’s tracked these power imbalances for years, I see this as monopoly capitalism colliding with a hollowed-out state. No market forces pushed for better security; no oversight demanded it. The breach was inevitable. But it didn’t emerge in a vacuum. Next, I’ll examine the privatisation roots and lobbying that built this shaky foundation, and why successive governments let it stand.
For now, the lessons of this week are clear: entrusting millions of Kiwis’ health records to a one-man monopoly was a disaster waiting to happen, and we’re all waking up to the cost of that mistake.
Dr Bryce Edwards
Director of the Democracy Project
Key further reading and my previous columns on this topic: