Manage My Health under pressure as minister, Privacy Commissioner circle

Saturday, 10 January 2026

Health Minister Simeon Brown el six of the Beehive. Brown says his priority areas will be health targets, health infrastructure and primary care.

Change is clearly needed after the massive Manage My Health data breach, Health Minister Simeon Brown says, as pressure mounts on the company over its handling of the fallout and the Privacy Commissioner moves closer to a formal investigation.

Just over half of affected patients have been contacted so far, and Manage My Health chief executive Vino Ramayah remains optimistic the full group will be notified in the coming days.

Still, Brown has been unimpressed by the communication response, describing it as “wanting”. He said the law makes Manage My Health solely responsible for notifying affected users

Even the decision around ransoms lie with Manage My Health, he said. The Post previously reported the hacker had set a Tuesday morning deadline for payment but, when that deadline passed, confirmed it was moved to Friday at 5am.

“Well, the Government's position for a very long time has been to recommend parties not to pay ransoms,” Brown said. “Ultimately, though, that decision sits with Manage My Health.”

While the deadline had passed, Ramayah declined to say whether the company had pair or would pay a ransom.

Manage My Health, which holds data on about 1.8 million Kiwis, has been embroiled in a privacy‑breach crisis since December 30, with hackers demanding more than $100,000 for over 400,000 health files linked to about 127,000 people

The fallout has extended beyond registered users. Northland Hospital’s use of Manage My Health to send discharge summaries, referrals and clinical correspondence has left sensitive data exposed, including information belonging to patients who were not signed up to the portal.

Brown said about half of affected patients had been contacted by close of business Thursday, with most of the remainder expected to be notified on Friday.

“That work is now happening at pace,” he said.

Ramayah told The Post there was “huge complexity” in communicating with affected patients. Notifications were being sent in stages - some included contacting vulnerable people, and coordinating with health providers. Patients without a regular GP or clinic had proven harder to reach, and all notices had to comply with privacy law.

Brown said one of his first messages to Ramayah after the breach was that “communication is key”.

“This is patients’ most personal information, and my expectation was that communication - publicly and directly with users - would be the top priority,” he said.

“My view is that the communication has been found wanting.”

Meanwhile, a Privacy Commission spokesperson said the next step was to consider further action.

“Given the scale of the incident, the sensitivity of the personal and health information involved, and the systemic issues being identified , it is likely the Privacy Commissioner may decide an investigation is warranted,” the spokesperson said.

Such an inquiry could examine the cause of the breach, the response, whether reasonable safeguards were in place, and broader questions around how sensitive health information is retained, managed and shared.

On Monday, Brown commissioned a review by the Ministry of Health to look at the cause of the breach, the data protections in place at the time, and to make recommendations. He wants the review to begin this month, with a timeframe to be announced once the terms of reference are finalised.

While he did not want to prejudge the outcome, “clearly there's going to be a need for some changes”.

University of Auckland cybersecurity expert Dr Abhinav Chopra said basic safeguards could have significantly reduced the harm.

If Manage My Health had stronger password reset processes, limited the number of accounts able to access patient data, and removed data when contracts with GP practices ended, it could have “saved a lot of people and their livelihoods”.