In June 2025, the Office of the Privacy Commissioner received an anonymous tip. Someone alleged that Manage My Health had exposed names, emails, and passwords through its patient portal. The OPC did what it could: it advised the company to “consider” stronger protections. Six months later, hackers stole 430,000 files containing some of the most intimate health data imaginable.

Why couldn’t the watchdog do more? Because our watchdog has been muzzled, starved, and trained not to bite.

The MisManageMyHealth breach wasn’t just a corporate failure. It was enabled by a deliberately weakened regulatory system. New Zealand has constructed a privacy regime where the regulator is underfunded, penalties are meaningless, and oversight is outsourced to the very companies we’re trusting with our most sensitive data.

This column, which is the third in my series on what I call the MisManageMyHealth scandal, examines the guardians who were supposed to protect us, and why they were structurally incapable of doing so.

The Starved watchdog

The Office of the Privacy Commissioner (OPC) is our frontline defence against data abuse. It is also chronically, deliberately underfunded.

Here’s the numbers: The OPC has just 48 staff to police privacy across an entire economy of five million people. Meanwhile, privacy complaints rose 21 percent last year. Serious breach notifications spiked 43 percent. And how did the government respond? It cut the OPC’s budget from $8.1 million to $7.6 million.

Former Privacy Commissioner John Edwards described the OPC as a “nursery for staff” – a place where investigators learn their craft before being poached by the private sector at double the salary. The institutional knowledge walks out the door every eighteen months.

The practical consequences are stark. When the Latitude Financial breach hit in March 2023, affecting one million Kiwis, the OPC didn’t have the resources to investigate independently. They had to rely on their Australian counterparts. Nearly three years later, that investigation still isn’t complete.

So when the anonymous warning about Manage My Health arrived in June 2025, the OPC followed its standard protocol: notify the company, ask for an explanation, and accept their assurances. They essentially outsourced the investigation to the suspect. Not because they wanted to, but because they had no other choice.

As an OPC spokesperson put it bluntly: “You can’t audit your way to safety. Without proper resourcing and a system of incentives and penalties, any audit regime will fail.”

This isn’t an accident. It’s a political choice. Successive governments have chosen to starve the watchdog rather than give it the resources to bite.

A Law without teeth

Even if the OPC had more staff, they’d still be fighting with one hand tied behind their back. New Zealand’s Privacy Act creates virtually no deterrence.

The maximum criminal penalty for a privacy breach notification failure is $10,000. The ransom demand for the MisManageMyHealth data was $103,000. In other words, the fine for failing to protect patient data is less than one-tenth of what criminals think that data is worth.

Compare this to Australia. After the Optus and Medibank breaches in 2022 exposed tens of millions of records, the Australian Parliament acted within two months. Maximum penalties jumped to AU$50 million, or 30 percent of turnover if greater. Attorney-General Mark Dreyfus was blunt: “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

New Zealand’s penalty gap represents approximately a 5,000-fold difference from Australia’s. For any company doing the maths, the message is clear: invest in security or don’t, as it makes no real difference to the bottom line.

The call for stronger penalties isn’t new. In 2017, then-Privacy Commissioner John Edwards submitted a 27-page recommendation advocating civil penalties up to $1 million for corporations. The government did nothing. In June 2024, Acting Privacy Commissioner Liz MacPherson renewed the call, describing New Zealand’s civil penalty regime as “nothing, nada.” In December 2025, current Commissioner Michael Webster again called for “urgent reforms” including multimillion-dollar fines. A March 2025 OPC survey found 75 percent of respondents supported empowering the Commissioner to levy meaningful penalties.

The government’s response? Cut the OPC’s budget.

Privacy barrister Katrine Evans captured the absurdity: “Where are the incentives for agencies to take privacy seriously, to invest in good systems, to support their staff? If you compare that with something like health and safety, where there are really significant fines available for workplace accidents, privacy is looking pretty weak.”

Privacy barrister Kathryn Dalziel agreed: “My view is that the penalties regime is not a deterrent. I just don’t think we have the deterrent factor in New Zealand.”

This isn’t oversight. It’s a permission slip for negligence.

The “High trust” mirage

How did we end up with watchdogs that can’t watch? The answer lies in what officials call the “high trust model”. This is a term that sounds reassuring until you realise it means “no oversight.”

Here’s how it works. The government signs contracts with private providers, sets out expectations for security, and then trusts those providers to meet them. No mandatory audits. No independent verification. Just faith that companies will do the right thing.

When the MisManageMyHealth breach hit, Health Minister Simeon Brown was quick to point fingers: “People who hold data are responsible for that. It is the agency that holds that data that has responsibility.” Health New Zealand confirmed that ManageMyHealth “is responsible for managing and securing its own systems.”

They’re not wrong that the company bears responsibility. But this framing lets the state off the hook entirely. The Ministry of Health admitted it has “no regulatory authority” over Manage My Health because it’s a private company.

Think about that claim for a moment. Manage My Health is used by 1.85 million New Zealanders – over a third of the population. It’s funded through primary care capitation payments. It handles public health data fed through government systems. It is, in every practical sense, public infrastructure. Yet the Ministry claims it has no authority to ensure that infrastructure is secure.

This is accountability laundered through privatisation. Taxpayer money flows from the Ministry to PHOs to GPs to software vendors, and at each step, responsibility evaporates. By the time it reaches the company actually holding our data, no one in government is watching.

A 2024 Public Service Commission inquiry into a separate data scandal (the Manurewa Marae controversy) explicitly found that “the high trust model was inappropriate for sensitive data.” Yet the health sector continued using exactly this model. The last security review that may have included Manage My Health was conducted in 2018 (which is a lifetime ago in cybersecurity terms). Te Whatu Ora admitted it didn’t even have access to that review.

As Green Party health spokesperson Hūhana Lyndon put it: “You can’t audit every five years and cross your fingers.”

But that’s precisely what happened. The government crossed its fingers, hoped the private sector would do the right thing, and when the inevitable occurred, blamed the private sector.

This isn’t unique to health data. It’s a pattern across New Zealand’s governance landscape. Leaky buildings. Pike River. Now digital health infrastructure. Deregulation, a vague invocation of “high trust,” disaster, and then a review that changes nothing.

A Democratic deficit

What does this mean for democracy? It means citizens get a raw deal. New Zealanders were strongly encouraged to use online health portals; in some cases it’s practically required to engage fully with your GP or get certain services.

The public never really consented to having their most intimate data stored with a private third-party vendor that operates in a regulatory void. It just became the norm, quietly, as part of a drive to digital health.

But when that system failed catastrophically, the state’s response was, “Sorry, not our problem – take it up with the company.” That is an abdication of responsibility that should alarm all of us.

It erodes trust in public institutions and undermines the social contract. We trust government (and its delegated health system leaders) to ensure our safety in core services. Here, that trust was misplaced.

The truth is, the politicians have been happy to be bystanders. Less work for them, after all, and no pesky regulations to upset industry. Until, of course, thousands of people’s lives are thrown into anxiety and chaos by a breach that could have been prevented.

The Accountability sink

Data specialist Callum McMenamin warned Manage My Health about authentication vulnerabilities in June last year, even tagging the company in a LinkedIn post. He got no response. Manage My Health ignored the warning. Six months later, the breach happened exactly as he predicted. The root cause, McMenamin says, is simple: “The Government’s failure to have enforceable data security standards such as multi-factor authentication.”

This week McMenamin identified the structural problem perfectly. He calls it an “accountability sink” – a place where responsibility disappears because the accountability line flows in the wrong direction.

The pattern is familiar. When systems fail, we punish the instance of the problem, not the cause. Media attention focuses on Manage My Health and the hackers who exploited its weaknesses. Meanwhile, the government that created the conditions for failure (the underfunded regulator, the toothless law, the “high trust” framework) escapes scrutiny.

McMenamin wrote this week: “The government can simply create blurry frameworks for security that vaguely use all the right buzzwords, while pushing all responsibility for implementing those frameworks downwards. Meanwhile, the government can make no attempt to centrally monitor compliance with that framework – because ignorance is bliss.”

The result is predictable. We’ve seen it before. The Waikato DHB breach in 2021 compromised the data of 4,200 patients, with systems running Windows XP that Microsoft had stopped supporting years earlier. No penalty. The Tū Ora Compass Health breach potentially affected one million New Zealanders. No penalty. The Mercury IT attack in 2022 hit coronial files and bereavement records. No penalty.

As journalist Rob Stock observed, New Zealand has been “sleepwalking towards a privacy breach like this.” We’ve “allowed our privacy laws to become hopelessly out of date, ignored the Commissioner’s pleas to bring in meaningful fines for breaches, and have collectively shrugged our shoulders through breach after breach after breach.”

Designed not to bark

The watchdogs didn’t bark because they were never meant to. They were declawed by a penalty regime that makes negligence economically rational. They were starved by budget cuts that left them unable to investigate or verify. They were trained to mediate after harm rather than prevent it. And they were operating within a “high trust” framework that treats oversight as an imposition rather than a protection.

This is sometimes referred to as “corruption by omission”. It’s not the kind of corruption where money changes hands, but the kind where politicians choose not to act, where regulators are left without resources, where warnings are filed and forgotten. It’s the corruption of a state that has hollowed out its capacity to protect citizens from powerful interests.

The MisManageMyHealth breach exposed 127,000 New Zealanders’ most intimate health records. Sexual assault survivors now live in fear of their histories being leaked. Psychiatric patients wonder if their darkest moments will become public. Families learned that even dead relatives’ records weren’t safe.

Without meaningful penalties, mandatory audits, and a properly resourced regulator, the next breach isn’t a matter of “if” – it’s “when”. The system that enabled MisManageMyHealth remains intact. The watchdogs remain muzzled.

But the failure of guardianship is only part of the story. Next, I’ll examine who built this house of cards: the company behind the platform, the monopoly it enjoys, and the lobbying that kept regulation at bay.

Dr Bryce Edwards

Director of the Democracy Project

Key Reading: