After six columns dissecting the MisManageMyHealth debacle, the diagnosis is clear. Decades of privatisation built a fragile system, leaving our health IT infrastructure splintered and under-resourced. A near-monopoly concentrated the risk, handing 1.8 million New Zealanders’ records to a one-man private empire. The watchdogs were ignored and muzzled: successive Privacy Commissioners’ warnings went unheeded, and regulators were kept toothless by design. Meanwhile, industry lobbying captured the policy process, framing basic protections as “red tape” and convincing politicians that regulation was a dirty word.
Now the question is: What would real reform look like? And equally important: Who should be held accountable?
The good news is that we know exactly what needs fixing, if our leaders have the courage to act. Here is a four-point agenda to address the failures exposed by MisManageMyHealth.
1) Privacy law with teeth
New Zealand’s privacy laws need a complete overhaul. The current maximum fine of $10,000 is an international joke – Australia can levy up to A$50 million for serious breaches. It’s time to give our Privacy Act real bite: empower the Privacy Commissioner to impose multi-million dollar penalties on companies that recklessly endanger our data.
Enforcement powers must be beefed up so the regulator can issue compliance orders and demand independent security audits before a breach happens. Breach notification rules should have strict timelines, which would mean no more leaving victims in the dark for weeks. And patients deserve a “right to erasure”: if you no longer use a service, you should be able to have your data deleted. Manage My Health’s trove of “zombie data” – records kept indefinitely, even for patients long gone or deceased – shows why this is needed.
2) End the “High trust” charade
Our officials love to talk about “light-handed regulation” and “high trust models.” What this really means is actually wilful blindness. In practice, “high trust” meant Health NZ and the Ministry of Health took Manage My Health’s word that everything was fine, until it wasn’t.
Real reform means ending the polite fiction that private companies will simply do the right thing if left alone. We need mandatory, regular security audits for any company handling large-scale personal data. If Manage My Health had been subject to annual independent certifications of its security (with the results made public), would we have discovered, for example, its lack of multi-factor authentication before 127,000 patients were exposed?
Accreditation should no longer be optional. Government agencies must set hard security standards (encryption, authentication, penetration testing, data minimisation, etc.) and enforce them via audits and penalties. And let’s empower an independent oversight body to proactively “stress test” critical systems. This could either be the Privacy Commissioner or a new Digital Safety Authority.
The Ministry’s excuse that it had “no regulatory authority” over a platform used by a third of the population is absurd. Such “authority” must be created. Trust is not a strategy; oversight is.
3) Rebuild public capacity
Perhaps the most important long-term reform is to reclaim public control over digital health infrastructure. MisManageMyHealth has been a painful lesson in the costs of outsourcing what should be core public services. Why don’t we have a single, secure, government-run patient portal by now? Because for 30 years, governments of both stripes decided to leave it to the market. That needs to change.
Rebuilding public capacity means funding and completing Hira, the long-delayed national health information platform, so that New Zealanders’ medical records aren’t locked up in one private company’s servers. It means investing in secure public cloud infrastructure and modernising the health system’s IT backbone, rather than relying on a patchwork of legacy systems and private vendors.
It also means enabling data portability for patients: you should be able to easily transfer your health records to a different GP or a different platform, breaking the stranglehold of vendor lock-in. When citizens are effectively “captive” to one portal, the market can’t work and security becomes an afterthought.
A well-resourced public alternative would introduce much-needed competition (raising the bar on security and privacy features) or even replace the private portals entirely if they can’t meet robust standards. Digital health must be treated as critical national infrastructure – funded and maintained for the public good, not just a profit centre for a private operator.
4) Resource the watchdog
Finally, we must give the Privacy Commissioner’s office the mandate and resources to actually do its job. Right now, our privacy watchdog is a small dog when we need a German Shepherd.
Just 48 staff are tasked with protecting five million Kiwis’ data across the entire economy. Budget cuts last year further neutered the office, even as breach notifications and complaints have surged. This is a political choice to keep the regulator weak, and it must be reversed. “Resourcing the watchdog” means significantly increasing funding and staffing for the Office of the Privacy Commissioner, and not by a token amount, but doubling it at least.
It means paying those staff enough to retain skilled investigators (so the office isn’t just a “nursery” that trains people only to lose them to the private sector). It means giving the Commissioner explicit audit powers: the ability to launch spot-checks on high-risk data holders, rather than waiting passively for complaints or disasters.
And it means ensuring timely investigations. There shouldn’t be more breaches that languish for years without conclusion because the watchdog’s plate is too full. That requires political will to empower an agency whose sole loyalty is to the public’s right to privacy.
Who should be held accountable?
These reforms outline what should happen. But will they? This relates to the second question: Who should be held accountable for the status quo, and are they prepared to change?
Real reform will only come if we confront the institutions and individuals that allowed this mess to fester. Accountability must be more than a review or a press conference. It means consequences and ownership of failure by the following:
A) Corporate accountability
Vino Ramayah and Manage My Health. Let’s start with the company at the center. Manage My Health’s leadership, above all CEO/owner Vino Ramayah, bears direct responsibility for the specific failures that led to this breach. They built a system with no meaningful governance or transparency – a 21-person outfit controlling the records of two million people.
They skimped on security basics (no mandatory MFA, outdated software, apparent neglect of warnings) in order to maximise profit. And when warned about vulnerabilities months in advance, they “dropped the ball” completely.
Ramayah chose to run his company on a shoestring and treat patient data as a private asset. Now 127,000 New Zealanders are paying the price for those choices. Corporate accountability means the buck stops with him.
At minimum, the company should face an independent inquiry and, once stronger penalties are in place, significant fines. Ramayah’s hints about possibly stepping down are not enough, as this is about more than one man’s job title. It’s about ensuring that companies entrusted with public data meet standards or lose their social license.
If Manage My Health cannot immediately harden its security and demonstrate transparency, it shouldn’t be managing anyone’s health data, period. Accountability here might ultimately mean bringing this function back into public hands if the private owner won’t meet the mark.
B) Regulatory accountability: Ministry of Health and Health NZ
The public sector cannot shrug this off as “not our problem.” The Ministry of Health and Te Whatu Ora utterly failed in their duty to safeguard a de facto public service. They encouraged the health system’s digitisation and the use of patient portals, routed taxpayer funds into subsidising those tools, and then abdicated oversight completely.
We now know the Ministry blithely claimed it had “no regulatory authority” over the platform containing our medical files. Health NZ leadership dutifully parroted that the private company was “responsible” and the state bore no blame. This hands-off posture is nothing short of negligence.
Public officials must be held to account for why they left a private company to operate critical health infrastructure with zero checks. Why were no security requirements written into contracts with primary health organizations and GPs? Why was there no contingency plan for a portal failure?
Every level of health bureaucracy accepted the “high trust” myth and thereby betrayed the public’s trust. Accountability here means government agencies owning up to their mistakes: the Health Minister and MoH should explicitly acknowledge that it was a mistake to leave Manage My Health unregulated.
Heads may not roll, but candid admission is a start. Then, these agencies must commit to doing things differently, which means embracing the reforms above (audits, standards, public alternatives) even if it inconveniences their private partners. If they resist or play the same old tune, we’ll know nothing has changed.
C) Political accountability: National and Labour
One of the most striking aspects of this saga is its bipartisan nature. The weak privacy regime that enabled this breach was built and maintained by both major parties in government. Labour and National alike preferred to avoid imposing costs or rules on businesses handling personal data, even as warning after warning came in from experts.
In 2017, then-Privacy Commissioner John Edwards called on Parliament to introduce fines up to $1 million for breaches; the National-led government at the time did nothing. In the subsequent years under a Labour-led government, massive breaches (Waikato DHB, among others) prompted renewed Privacy Commissioner pleas for stronger laws, which were likewise ignored.
Even after the Optus/Medibank wake-up call in Australia and the clear blueprint it provided for reform, our politicians couldn’t be bothered. And in late 2024, as if to underscore the point, the new Coalition government quickly repealed the Therapeutic Products Act (a modern safety law) in part because industry lobbyists found it too burdensome. They even cut the Privacy Commissioner’s budget further.
This failure spans years and parties. Political accountability means owning this bipartisan failure and learning from it, not just pointing fingers after the fact. It means MPs from both sides finally prioritising citizen privacy over corporate convenience. New Zealand’s political class has treated data protection as a niche or “tech” issue to be sidelined.
It must now treat it as a core obligation of the state in the digital age. If our elected leaders do not take concrete legislative action after this scandal – if they retreat into partisan posturing or, worse, quietly let the issue drop – they too will have dropped the ball. Voters should not let them off the hook.
D) Lobbying accountability: The Digital Health Association and allies
Lastly, we need to talk about the role of lobbying and private influence. The Digital Health Association (DHA), which is the industry group representing health IT companies, including Manage My Health itself, has been hugely successful in shaping the rules (or lack of rules) that got us here.
They campaigned against stronger privacy regulations, explicitly warning the incoming Minister in 2023 that “overly burdensome privacy laws” were a threat to their sector. They pushed the line that regulation would hinder innovation and called for government to be a “funder” not a “regulator”. In effect, they lobbied to keep doing whatever they wanted with minimal oversight, and government listened.
The Therapeutic Products Act saga is a case in point: the DHA “lacked confidence” in the proposed regulator, and the new government obligingly scrapped the whole law. This is a stark example of regulatory capture.
The DHA even had one of its board members embedded inside Health NZ’s leadership, wearing two hats at once. And it was invited to co-design major policies like the Hira digital health platform, ensuring industry’s preferences were baked in from the start. This cosy arrangement – industry calling the shots on how it should (or shouldn’t) be regulated – is a big part of why we ended up with a “light-touch” regime so ripe for failure.
So, holding the lobby accountable means shining a light on these influence networks. The DHA and its member companies should be named and shamed for prioritising convenience and profit over patient security. When lobbyists cry “red tape” in the future, officials should remember MisManageMyHealth and hear “public risk.” Going forward, any policy-making in digital health must involve independent voices (clinicians, privacy experts, patient representatives) to counter-balance the corporate interests.
Will anything change?
At the end of all this, the uncomfortable truth is that we’ve seen similar scandals before in other sectors, and we often hear grand promises of “never again” that quietly fade away. Will it be different this time?
The reforms above are not radical; they’re common sense changes that many other countries implemented years ago. The people responsible for this debacle have been identified. Real reform is possible, but only if there is sustained public pressure to overcome institutional inertia and vested interests.
Without it, the political will to act will dissipate as the news cycle moves on. We’ll get a review or two, some apologetic soundbites, and perhaps minor tweaks, but not the structural change needed. In a few years, another breach will hit, and we’ll replay the same ritual of shock and outrage.
It doesn’t have to be this way. New Zealanders have a chance to demand a privacy regime and digital health system worthy of our trust. The MisManageMyHealth scandal exposed deep flaws in how our democracy allocates responsibility and accountability. The next chapter is unwritten: Will our leaders implement real reform, or will this become just another “lessons learned” footnote without structural change?
Dr Bryce Edwards
Director of the Democracy Project
Reading List: