Independent review recommends stronger cyber security across health system

The Ministry of Health is strengthening cyber security across the health system following an independent review into the Manage My Health (MMH) cyber incident. This includes new work to ensure key third-party suppliers are independently assessed against required security standards.

Ministry of Health Chief Medical Officer Dr Joe Bourne says this was a serious breach involving the cyber theft of highly sensitive health information affecting 99,000 people. New Zealanders expect strong protections, and action is already underway across the system to strengthen them.

Dr Bourne says a key lesson is the need for independent assurance of third-party suppliers, rather than relying solely on self-assessment. This incident has highlighted clear areas where the system needs to improve, and our focus is now on learning from it and implementing these changes at pace.

Ministry of Health Chief Information Officer Quin Carver says the Ministry and Health New Zealand are already taking action, including:

• working with Manage My Health to obtain independent assurance of post-incident security improvements
• strengthening expectations for suppliers holding sensitive health information
• reviewing how the Health Information Security Framework is applied and monitored in practice
• establishing clearer roles and processes for patient notification during cyber incidents
• undertaking a desktop review of other major patient portals and developing a system-wide action plan.

Mr Carver says further work is underway to establish a more consistent, system-wide approach to independently validating that health sector suppliers holding sensitive health data meet appropriate cyber security standards, responding to recommendations from both this review and the Office of the Privacy Commissioner.

To strengthen the protections for health data, the review makes 26 recommendations focused on reducing the likelihood and impact of similar incidents. These include:

• stronger third-party cyber risk management and independent assurance
• clearer, system-wide processes for patient notification
• improved visibility of supply chain risks
• enhanced incident preparedness, including regular sector exercises.

Dr Bourne says the Ministry has accepted all the report's recommendations. Three actions are complete; five have been actioned and the Ministry is awaiting external confirmation they are complete); 12 are underway and a further six are being planned.

He says Manage My Health has already taken action to strengthen their data protections.

Dr Bourne says protecting people's health information is fundamental to trust in the health system. This review highlights that strong governance, clear accountability, and independent assurance are essential to reducing cyber risk.

The Ministry of Health and Health New Zealand have also written to key health sector leaders emphasising the importance of this.

The Ministry will continue to work with Health New Zealand, the Office of the Privacy Commissioner, and sector partners to implement its action plan and will provide updates as this work progresses.

Background

The Ministry review was informed by two independent reports undertaken by Bastion Security Group and CyberCX. The review found that the MMH breach - discovered in late December 2025 - involved unauthorised access to a privately operated patient portal and the theft of highly sensitive personal health information. It remains one of the most serious cyber security incidents experienced in the New Zealand health sector.

While the response to the incident was broadly proportionate, the review found the breach itself was largely preventable. It identified weaknesses in technical controls, incident preparedness, and communications, alongside broader system-level issues in how cyber risks are managed across third-party suppliers.

Key findings

The review found that:

• Manage My Health had significant security control gaps and was not sufficiently prepared for an incident of this nature
• known risks, including weaknesses in application security, had not been fully addressed prior to the breach
• patient notification and communications were delayed and inconsistent, contributing to confusion and a loss of trust
• security improvements have since been made, but further independent assurance is required
• stronger oversight and assurance of third-party suppliers holding sensitive health data is needed across the system.

The report concludes that the incident should be treated as a call to action for the health sector, highlighting the need for stronger system stewardship and more consistent management of cyber risk.

The Ministry's action plan focuses on strengthening system stewardship, setting clearer expectations for supplier security, improving incident preparedness, and more robust assurance and oversight of high-risk third-party providers within the health sector.

The action plan covers improving notification processes, enhancing assurance of high-risk suppliers, and ensuring the Health Information Security Framework is applied in practice, rather than relying on supplier self-assessment.

Read the report

The breach report and related documents are available at Proactive release of supporting information to the Manage My Health cyber security breach review.