10/01/2026
This Data Breach Was Preventable: Bryce Edwards
I’m the director of the Democracy Project, focused on scrutinising and challenging the role of vested interests in the political process.
In my previous column, I argued that the Manage My Health breach revealed a hollowed-out state. But there’s something even more damning than the structural failures I outlined. This wasn’t a bolt from the blue. It was foreseeable. And it was ignored.
The most uncomfortable fact about the theft of 430,000 medical documents isn’t that hackers got in. It’s that someone tried to warn us six months earlier, and nothing meaningful was done.
The June warning
In June 2025, an anonymous tipster contacted both Manage My Health and the Office of the Privacy Commissioner with a stark allegation: user names, email addresses, and passwords were exposed by the platform. Both the company and the regulator were put on notice that something was seriously wrong.
Manage My Health did investigate. They contacted a subset of users. They added some protections to those specific accounts. Then, apparently, they stopped.
Deputy Privacy Commissioner Liz MacPherson has confirmed that her office advised the company to consider applying those protections across all accounts. Consider. Advise. Not require. Not order. Not verify.
The OPC lacks the power to compel audits or mandate fixes. It can encourage. It can hope for compliance. And so it did. Whether that advice was followed or implemented remains unclear. What we know for certain is that six months later, hackers walked in.
Through the front door
When the breach hit, CEO Vino Ramayah made an admission that should have been front-page news. The hackers, he said, “came in through the front door using a valid user password”.
So, this wasn’t some sophisticated state-sponsored cyber assault. It was what security experts call “credential stuffing” or a simple password-based intrusion. Someone got hold of a working login and used it. That’s it.
Multi-factor authentication, now standard for everything from banking to Gmail, would have stopped it cold. But for a health portal holding 1.8 million patient records? Apparently optional.
Web standards consultant Callum McMenamin saw this coming. In mid-2025, he posted publicly on LinkedIn questioning Manage My Health’s authentication processes. He said they put “millions of New Zealanders’ health information at significant security risk”. He tagged the company directly. They ignored him.
After the breach, McMenamin was blunt: the company was “negligent” for not having mandatory multi-factor authentication. The hacker known as Kazu agreed, mockingly noting that the platform lacked “basic security protocols”.
A pattern we’ve seen before
What makes this so maddening is that Manage My Health isn’t our first big data breach. New Zealand has been sleepwalking through breach after breach, learning nothing and changing nothing.
In May 2021, the Waikato DHB was hit by what was then called the biggest cyber attack in New Zealand history. Hackers compromised 611 servers across five hospitals. Personal information of more than 4,200 patients and staff ended up on the dark web. Operations were disrupted for months.
Here’s the main thing: an internal draft strategy from December 2020, five months before the attack, had warned that IT security was “inadequate and severely compromised”. The systems were running Windows XP, which Microsoft had stopped supporting five years earlier. There was no incident response plan. No dedicated cybersecurity specialist.
The result? Privacy Commissioner John Edwards confirmed the DHB would not be fined.
Then there was Tū Ora Compass Health PHO. When that breach was discovered in 2019, investigators found attacks dating back to 2016. The GCSB concluded the organisation had intended to patch known vulnerabilities but simply hadn’t got around to it when the attacks occurred. Four separate intrusions went undetected for years. Up to one million New Zealanders were potentially affected.
Penalties imposed? Zero.
The Mercury IT ransomware attack in December 2022 hit coronial files, post-mortem reports, and bereavement records. The Latitude Financial breach in 2023 exposed the personal data of around a million Kiwis. Nearly three years on, the cash-strapped Privacy Commissioner still hasn’t finished investigating that one.
The repeated lesson for data holders has been perverse but clear: failure carries no real consequences beyond embarrassment.
The wake-up call we slept through
While we were collectively shrugging, Australia was doing something about it.
In late 2022, the Optus and Medibank breaches exposed the records of tens of millions of Australians. The Medibank breach alone compromised data on 9.7 million people, including sensitive health claims.
Within two months, the Australian Parliament passed the Privacy Legislation Amendment Act. Maximum penalties jumped from AU$2.2 million to AU$50 million, or 30 per cent of turnover if greater. Attorney-General Mark Dreyfus made the point clearly: “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”
The message to Australian boardrooms was unmistakable. Treat data security as a survival issue, or face consequences that could sink your company.
New Zealand’s response to the same global wave of ransomware attacks? We did nothing. Our maximum fine remains $10,000, unchanged in concept since 1993. Privacy Commissioner Michael Webster has been practically begging successive governments for meaningful penalties. In November 2025, he again called for a “significantly stronger penalty regime”. Instead, the coalition government cut his budget by $2.1 million over four years.
As journalist Rob Stock put it: “We just don’t take privacy seriously enough. We are underfunding the Office of the Privacy Commissioner, have allowed our privacy laws to become hopelessly out of date, ignored the commissioner’s pleas to bring in meaningful fines for breaches, and have collectively shrugged our shoulders through breach after breach after breach.”
Risk socialised, accountability privatised
The government’s line has been consistent. When Health Minister Simeon Brown finally fronted, his message was clear: “ManageMyHealth is a private company responsible for protecting patient data, and it is responsible for this incident.”
He’s not wrong that the company bears responsibility. But this framing lets the state off the hook entirely. And it shouldn’t.
Patients didn’t choose Manage My Health. Their GP practices did. The platform became de facto public infrastructure, handling records for over a third of New Zealanders. Public money flows to it through primary care funding. And yet no government agency was routinely auditing its security. The Ministry of Health confirmed it has “no oversight of regulatory authority” over the company because it’s private.
This is how the risk gets socialised while accountability is privatised. The company cut corners and kept costs down. The regulator was too starved to probe. The government avoided any mandatory security standards that might upset the business lobby. Everyone chose minimal action.
And when the inevitable happened, the cost fell entirely on the 127,000 New Zealanders whose intimate medical records are now in criminal hands. Sexual assault survivors living in terror. Psychiatric patients wondering if their darkest moments will become public. Ordinary people who trusted a system that was never properly protected.
High trust, no accountability
Why were those loud warnings ignored? Largely because of our country’s ‘high trust’ model of regulation. Put bluntly, New Zealand tends to take a hands-off approach and trust organisations to do the right thing on their own. In the realm of data protection, that approach has been a disaster.
Look at our privacy oversight. The Privacy Act is mostly principles and guidelines with few teeth. The Office of the Privacy Commissioner is a small watchdog with no power to issue hefty fines or enforce strong standards. This high-trust mindset meant no one in government was actively verifying or enforcing cybersecurity standards at places like Manage My Health. No mandatory security audits, no required minimum safeguards. The whole system ran on an honour code. Our leaders essentially crossed their fingers and hoped a private firm would do the right thing, then acted surprised when that trust was betrayed. It’s governance by wishful thinking.
Hollowed-out oversight
To understand how we ended up so vulnerable, we have to acknowledge the broader policy environment. For decades, New Zealand governments of all stripes have embraced deregulation, privatisation, and cost-cutting – a neoliberal ethos that deliberately shrinks the role of the state. In many areas, from building safety to workplace safety, we’ve seen what happens when regulators are stripped of power. Now we’re seeing it with data and privacy.
Manage My Health is essentially a privatised piece of health infrastructure. Rather than building a secure public portal for patient records, our health system relied on a private provider and then largely left it alone. We outsourced a critical function and then didn’t bother to monitor or regulate it properly. The company was left to self-regulate, and government agencies only swooped in after everything blew up. It’s the same story as the leaky buildings or mining disasters: cut back oversight, leave it to the market, and sooner or later something explodes.
The breach wasn’t sophisticated. The warnings were ignored. The pattern was established. This was preventable. The question now is whether anyone will be held accountable, or whether we’ll simply wait for the next catastrophe.
This article was originally published by the Democracy Project.
The warnings were ignored. This was preventable. The question now is whether anyone will be held accountable, or whether we’ll simply wait for the next catastrophe.
