Claims of crossed fingers and no encryption: Big questions after health data hack

Wednesday, 7 January 2026

Join the conversation in the comments below.

As questions are raised about government oversight of health data, the Manage My Health thief says some patient information was not encrypted – an alleged lapse that has an expert saying heads should roll.

Privately owned Manage My Health was hacked on December 30, with a $104,000 (US$60,000) ransom demanded for more than 120,000 patient documents.

The Tuesday morning deadline to pay was extended until 5am on Friday with the hacker telling The Post they were “in negotiations” with Manage My Health. Manage My Health would not confirm this.

Read More:

• Private health records surface on dark web after Manage My Health hack​

• 48 hours to pay: Manage My Health quiet as deadline brought forward

• More than 120,000 Kiwis’ health data breached

The hacker claimed some of the documents were unencrypted – a claim Manage My Health would not confirm by deadline.

Tech specialist Pat Pilcher, a media commentator for more than 20 years, said the data should have been encrypted.

“If they haven't, heads should roll,” said Pilcher, who now pens reviews for online magazine Witchdoctor. “Basically when you trust a service like that with your data – especially with health data – it should be encrypted.

“It should be super, super private. If a third party can get that data and make use of it, then some really hard questions need to be asked.”

Manage My Health started informing affected patients and clinics on Tuesday and said it had an interim injunction stopping the accessing of or dealing with stolen data. It said held information should be deleted.

It comes as a 2024 Official information Act (OIA) request from Te Whatu Ora Health NZ has re-emerged showing the last security review of the general practice system, “which may have” included Manage My Health, was undertaken “around five years ago”.

But that was done by the Ministry of Health and Te Whatu Ora did not have access to it.

On Tuesday afternoon, the Ministry of Health said in a statement it carried out a sector‑wide review of security across key health portals and practice management systems in 2018 to identify vulnerabilities and recommend improvements, but the review was a one‑off exercise and was not part of its ongoing responsibilities.

The Ministry also noted it had no regulatory authority over Manage My Health, which was a private company and must comply with the Privacy Act 2020 and the Health Information Privacy Code.

Robin Gauld, an honorary professor at the Otago School of Medicine and executive director of the Bond University business school in Australia, said he would be “extremely surprised” if the Ministry did not have a duty to audit Manage My Health’s security.

“Health and patient data are distributed across the health system and beyond, including public and private practice and providers,” he said.

“For this reason, there should be strong government interest and oversight of all data providers and businesses. There is also a lot of public money involved.”

Manage My Health was funded by GPs, which got about half their funding from the government, and government-funded primary health organisations.

Green Party health spokesperson Hūhana Lyndon said it raised serious questions about the level of oversight the government had or private companies holding sensitive health data.

“When has the system been doing the monitoring? You can’t [audit] every five years and cross your fingers.”

Tough questions needed to be asked about whether Manage My Health, which had to be held to account for allowing the breach, was up to the job of holding confidential patient information, Lyndon said.

Comments are moderated during working hours and may not appear immediately.