Budget 2026: Health experts hopeful money for digital upgrades will improve patient data safety

Gehan Gunasekara, professor of commercial law at the University of Auckland Business School. — Gehan Gunasekara, is a professor in commercial law at the University of Auckland’s business school who specialises in privacy. (File photo) Photo: Supplied

Experts and health professionals are hopeful money in this year’s Budget for digital upgrades will improve the safety of patient data, and cut admin time for clinicians.

Budget 2026 dedicated $153.6 million in funding for Health NZ to expand national cyber security monitoring, strengthen data security processes, and deliver IT safety upgrades across the system.

Specifically, that would include strengthening 24/7 cyber security monitoring, expanding its specialist cyber security expertise, and increasing its oversight in primary care.

Health NZ would also invest an additional $300m from its own budget to deliver the first three years of the Health Digital Investment Plan, replacing ageing devices, modernising radiology systems and upgrading core IT platforms.

Dr Michael Connelly from the Australasian College for Emergency Medicine said IT upgrades could cut staff admin time.

“What really helps us be more efficient is to have an integrated system that allows for radiology and medication and lab ordering from a touch of a button,” he said. “Then it allows you to spend more time with the patient.”

Despite the disestablishment of the DHBs and their amalgamation into a centralised health agency in July 2022, many of the IT systems remained different and separate.

Connelly was hopeful the time might have arrived when one central agency could shift to one central system.

“You would hope with the fact that we transferred to a single health system that that would be one of the benefits of that, and so I’m hoping that this investment will bring us toward some kind of integrated system throughout the motu.”

The funding followed a pre-Budget announcement last week of funding for a new nationwide digital patient record system for ambulances.

Dan Ohs, St John’s deputy chief executive of ambulance operations, said at the time the new electronic patient record system would replace “clunky”, decade-old technology.

Deputy Chief Executive - Ambulance Operations Photo: RNZ / Nate McKinnon

“Right now, for our frontline people, they would spend an average of 30 minutes after every patient documenting.”

Dr Bryan Betty, chairperson of General Practice New Zealand, said: “The increase in focus on cyber security and digital, I think, is very timely and very welcome in terms of what’s happened with Manage My Health earlier in the year.”

In December 2025, the patient health portal Manage My Health was the victim of a cyber attack in which people’s sensitive health information was stolen and put up for sale.

The Privacy Commissioner found both Manage My Health and Health NZ “failed in their responsibilities to have reasonable security safeguards in place to protect patient information”.

In April last year, Health NZ confirmed sweeping cuts to a third of IT staff, taking data and digital roles from 2000 to 1460.

A document released under the OIA earlier this year showed Health NZ knew cutting data and digital staff would increase risks to patient care and hospital resilience, and require one-off investment to mitigate.

Gehan Gunasekara, a professor in commercial law at the University of Auckland’s business school who specialised in privacy, said security was about more than IT - something the Privacy Commissioner’s recent report into the Manage My Health hack had also emphasised.

It also noted the importance of having people with the right knowledge.

“A lot of these breaches happen, not because of technical failures of the IT infrastructure, but due to broader governance failures where people haven’t really managed [it] across the whole spectrum,” Gunasekara said.

“It’s not enough to just have your IT people involved, you also need to have a governance team that can bring together the clinicians and everybody else, so they understand what it is they’re doing, and then they also understand the law and the legal requirements.”

Stella Ward, chief executive of the Digital Health Association, said Health NZ could potentially outsource cyber security to experienced specialists, or train staff themselves.

“When something happens, which - and it’s a ‘when’, not an ‘if’ - that you’ve got rehearsed, practiced and capable people that can step in, and look at how do we detect what’s going on, how do we respond to what’s going on, and how do we mitigate quickly.”

Smaller providers like GPs would need help, she said.

“If you’re a small organisation, having access to people who are specialists in cyber security and privacy […] would be a good mechanism that could be expanded through the use of this kind of funding.”

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.