The Context
Over 400,000 New Zealanders’ health documents were stolen. The hacker group Kazu demanded a US$60,000 ransom after breaching a specific document storage module at Manage My Health on 30 December 2025. The public found out on New Year’s Day. This wasn’t a sophisticated attack on core systems. It was a targeted strike on a peripheral module. The Ministry of Health’s urgent review, commissioned on 5 January 2026, will dissect the failure. While no source explicitly links this to prior privacy budget cuts, the strategic angle is undeniable. A decision to under-invest in data protection—whether framed as ‘efficiency’ or ‘cost-saving’—creates the exact vulnerability that was exploited. The board’s governance choices directly enable the crisis.
The Risk
Your personal reputation is now the company’s primary asset—and it is haemorrhaging value. The ‘Court of Public Opinion’ has convened. It judges not on technicalities, but on trust. The psychosocial damage to patients whose intimate health data is now exposed is immeasurable and forms the bedrock of public fury. Legally, this may indicate a failure of the duty of care under the Companies Act 1993. Directors can be held personally liable if a court finds they failed to exercise reasonable care, skill, and diligence in overseeing data security. The Privacy Act 2020 mandates protection against unauthorised access. A breach of this scale suggests that mandate was not met. The High Court injunction of 5 January is just the first legal step; civil suits from affected individuals are a near certainty. The brand erosion is immediate. The financial and legal reckoning follows.
The Control
Governance must shift from a cost-centre mindset to a critical risk-management function. Treat every dollar not spent on robust privacy and security infrastructure as a potential future liability multiplier. The board must demand a forensic link between every strategic budget cut and its downstream risk profile. Insist on crisis simulation for data breaches, not just theoretical policy. Your role is to protect the organisation’s social licence to operate. That licence is now in severe jeopardy.
The Challenge
These are the critical questions you should be raising at the board table:
| Show me the last three years’ budget proposals for data security and privacy. For every line item that was reduced or rejected, what was the documented risk assessment that justified the exposure we now face? | |
| Beyond the core IT systems, what is the full inventory of peripheral modules and legacy systems that hold sensitive data, and which one is the next ‘My Health Documents’ module waiting to be breached? | |
| What is our quantified plan, with clear accountability, to rebuild public trust? How are we measuring the erosion of our brand equity in real-time, and what are we prepared to spend to restore it? |