Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

My health data was among those hacked - here’s why I’m not surprised

Wednesday, 7 January 2026

Manage My Health
Manage My Health's Auckland offices.

Were you affected by the breach or are you concerned about privacy? Have your say in the comments.

OPINION: I’m one of those who has had health data stolen in Manage My Health’s disastrous privacy fail.

Of course it came as an unwelcome surprise when my GP’s surgery called me on January 6, a full seven days after Manage My Health was hacked.

But actually, I had been expecting to be a victim of a privacy breach at some point. It felt like just a matter of time.

New Zealand has been sleepwalking towards a privacy breach like this one. Hopefully the shock of Manage My Health finally wakes us up.

We just don’t take privacy seriously enough. We are underfunding the Office of the Privacy Commissioner, have allowed our privacy laws to become hopelessly out of date, ignored the commissioner’s pleas to bring in meaningful fines for breaches, and have collectively shrugged our shoulders through breach after breach after breach.

Read More:

The complete lack of political response from the Labour-Green government after the massive Latitude Financial breach in March 2023 in which data relating to 1 million New Zealanders was stolen was astounding, but understandable.

The incident is barely remembered by the public. That’s partly because nearly three years after it happened, the cash-strapped, under-resourced Office of the Privacy Commissioner still hasn’t finished its investigation.

It’s almost as if we don’t really care about privacy.

The Manage My Health debacle may be good for us as a country.

Australia had its privacy wake up call with the massive privacy fails of Medibank and Optus in 2022.

We in New Zealand serenely ignored those happenings. Angry Australian politicians lifted their privacy law breach fines to A$50m. We have virtually no privacy failure civil penalties.

The thing that is different with Manage My Health is that it is health data that has been stolen. Along with your lawyer, and your priest, your relationship with your doctor should be inviolable and utterly private.

I have reflected how I am lucky in one sense.

The Manage My Health online portal with a message for users about a data breach.
The Manage My Health online portal with a message for users about a data breach.

I still don’t know what data was stolen relating to me, or how it was stolen.

A message I sent on Tuesday to the Te Whatu Ora email we victims have been given hasn’t elicited a response yet. My GP surgery had tried to find out, but was ironically told by Manage My Health that the Privacy Act prevented them from revealing that to anyone but me. I am waiting for them to tell me. There is supposed to be an 0800 number I can call, but I haven’t been given that either.

In a way, I sympathise. There are about 127,000 people like me in privacy breach limbo. That’s not an easy number of people to contact when each will have a lot of questions, and are likely to be pretty cheesed off.

But, I am lucky. I have no health conditions that I would be concerned for anyone to know about. There’s nothing blackmailable in my records, or anything I might consider embarrassing. My records do not reveal personal trauma that I would be devastated to have aired publicly. I’m not living in dread of the vindictive hackers carrying out their publication threat.

Of course, these concern are only part of the real point here.

Suppose next week there was something I wanted to talk to my doctor about that was sensitive or traumatic? Would I now do it?

My GP practice notified me of the theft of data relating to my health on Tuesday.
My GP practice notified me of the theft of data relating to my health on Tuesday.

I wasn’t super keen on signing up for Manage My Health. Every time I have to hand my data over to someone, I sigh, and wonder: Is it secure?

Manage My Health has some handy features, such as being able to communicate directly with my GP, and to view my medical records. There was a mistake in my records. I had it corrected. That was helpful, and might mean should I drop dead, my life insurer won’t turn round and claim I lied on my application all those years ago.

There was no way for me to tell whether Manage My Health was secure.

And here is where all our successive government inaction and apathy is such a problem. For an ordinary member of the public, there is precious little we can do to check the security of the likes of Manage My Health.

In many walks of life we, the public, rely on regulation to keep us safe. We can’t test the medicines we rely on. We can’t test heaters for safety. We can’t check our banks are meeting their capital requirements.

Regulation is one of the core functions of government, as is making sure there are adequate penalties, and adequately-resourced law enforcement, to encourage people to take their responsibilities seriously.

We have been slack as a country on so many digital fronts, not just on privacy.

We were woefully slow, and ineffectual on cyber fraud and scamming. We’ve rolled over on harmful social media. We allow AI companies to harvest people’s content, give us “hallucinations” instead of reality, and peddle pornography, graphic violence, and other harmful content to us, and even our children. For heaven’s sake, we don’t even have democracy-protecting laws forbidding the generation of fake photos and videos of our politicians.

We really need to do much better. Finally modernising our privacy laws, and finding another $1million-or-so each year for the Office of the Privacy Commissioner (20 cents per year each) would be a start.

Comments are moderated during working hours and may not appear immediately.