New Zealand’s Privacy Commissioner has launched a formal inquiry into the cyber security incident at health platform provider Manage My Health Limited (MMH), signalling increased regulatory scrutiny of health data security and incident response practices. The inquiry will be conducted under section 17(1)(i) of the Privacy Act, the mechanism the Office of the Privacy Commissioner (OPC) typically uses to examine privacy issues that raise broader public interest questions.
Privacy Commissioner Michael Webster said the incident meets that threshold. “Given the scale of the incident, the sensitivity of the information, and some of the systemic issues being identified, it’s clear to me we need to investigate the privacy issues involved,” Webster said. The OPC is consulting with relevant stakeholders on draft terms of reference, which are expected to be published on Jan. 28. The inquiry will review the circumstances of the cyberattack, the protections in place before the incident, and the adequacy of remedial steps.
“New Zealanders rightly expect any agency collecting, holding, using, or storing their sensitive health information to maintain high standards of privacy and data protection. Our inquiry will help determine whether appropriate security safeguards were in place and if not, why not. We will also look at what steps will be taken to prevent such an incident happening again,” Webster said. For insurers and intermediaries active in cyber, health, professional indemnity, and D&O lines, the inquiry is likely to inform future expectations around governance, vendor management, and data protection standards in the health and insurtech ecosystems.
In an update published on Jan. 20, MMH said it had experienced a cyber event affecting a specific feature of its platform for some users in New Zealand. The incident related to content stored in the My Health Documents area of the service. According to MMH, the affected repository includes:
MMH has stated that several other components of its infrastructure were not impacted. The company said GP clinical systems, live medical records, prescriptions, secure messaging, and appointment systems were not part of the incident scope. The company reported that it acted after detecting unusual activity in its systems, moving to secure the platform, block further unauthorised access, and initiate its incident response plan. MMH said the vulnerability has since been remediated, the affected feature secured, and independent cyber security specialists engaged to verify the impact.
MMH has embarked on a multi-stage notification process for individuals linked to the impacted documents. It said most affected patients have now received notification emails, with remaining cohorts still in progress. The company indicated that it initially chose to advise all potentially affected individuals at an early stage. This approach subsequently led to some patients learning that they had been warned in error, after forensic work determined that their data had not been accessed. MMH has since issued follow-up updates to those people. Patients can log in to the web application to confirm their status. MMH says a green box at the top of the screen stating “No Impact” means the user was not affected by the cyber incident.
The provider has acknowledged that completing the remaining notifications will take time, citing the need to coordinate between different patient groups, relevant authorities, and data controllers, and to remain compliant with the New Zealand Privacy Act. MMH said it is working with the OPC and other agencies as part of that process. From an insurance perspective, the notification exercise illustrates the scale of post-breach operational and cost exposures, including communications, support services, and legal oversight – all relevant to cyber and privacy liability cover design and limits.
To address potential downstream misuse of the compromised data, MMH has obtained an interim injunction from the High Court. The order seeks to prevent third parties from accessing, sharing, or publishing information linked to the incident. MMH has also reported continuous monitoring of known data leak and dark web sites, with a readiness to issue takedown notices if any affected data is posted. In parallel, MMH has notified and is in ongoing contact with Health New Zealand | Te Whatu Ora, the National Cyber Security Centre (NCSC), the OPC, and New Zealand Police. The company has described its response as coordinated across agencies and aligned with sector and legal obligations.
In its public update, MMH outlined several steps taken to contain and manage the incident:
MMH has said it is not yet able to discuss detailed technical findings while that external review continues. The company has also warned that secondary actors may attempt to exploit the incident by impersonating MMH in spam or phishing campaigns. It has advised that such emails are not from MMH and is assessing further measures to limit this activity. These elements – containment, credential remediation, module isolation, ongoing monitoring, and third-party forensic review – map closely to key incident response obligations that insurers often specify in cyber and technology liability policies.
MMH has set up support channels for individuals seeking assistance, including an email contact point and a partnership with IDCARE, which provides identity and cyber support services in Australia and New Zealand. IDCARE offers free, confidential help for people concerned about identity misuse or compromise. The company has also directed users to guidance and resources on privacy rights, online safety, password practices, and cyber protection from organisations such as the OPC, IDCARE, Netsafe, and Own Your Online. In a public statement, MMH said it takes the privacy of clients and staff seriously and apologised for any concern or inconvenience resulting from the incident.
For insurers, brokers, and risk advisers, the developing situation and the forthcoming Privacy Commissioner inquiry may influence:
The OPC’s findings on “appropriate security safeguards” and systemic issues are likely to be closely reviewed across the insurance and health sectors as organisations reassess their cyber resilience and privacy risk frameworks.
