Trust: The First Casualty | Red Scribble Consultants

The Context

On 1 January 2026, ManageMyHealth confirmed a catastrophic cyber breach. Unauthorised access compromised approximately 428,000 patient files—108 gigabytes of sensitive health data. That’s 7% of their 1.8 million registered users. The root cause was an outdated encryption protocol. The Duty Minister called it “incredibly concerning.” The Privacy Commissioner, Health NZ, and Police are now involved. The public narrative is set: a systemic failure of care.

The Risk

Your personal liability is not just about fines. It’s about the court of public opinion. The Privacy Act 2020 mandates proactive protection of personal information. A known, outdated protocol may indicate a failure of that duty. The Companies Act 1993 requires directors to exercise reasonable care, skill, and diligence. The psychosocial damage to 428,000 people is immense. Their trust is shattered. Your brand is now synonymous with negligence. Regulatory penalties will follow, but the reputational erosion is immediate and permanent. The Minister is already demanding “urgent assurances.” Your board’s oversight is under a microscope.

The Control

Move from crisis response to trust restoration. This demands absolute transparency and demonstrable action. The forensic investigation must be public-facing in its conclusions. You must lead the narrative with contrition and concrete change. Your communication must be human, not corporate. Every update must rebuild a shred of credibility. The technical fix is the easy part. Winning back public faith is the real governance challenge.

The Challenge

These are the critical questions you should be raising at the board table:

	Beyond containment, what is our specific, measurable plan to restore public trust, and how are we measuring its effectiveness week-to-week?
	Show me the audit trail for the decision to retain the outdated encryption protocol. Who knew, when did they know, and what risk assessment was documented?
	What is our proactive, board-led engagement plan with the Privacy Commissioner and the Minister to demonstrate we are owning this failure, not just managing it?

Integrity

Red Scribble

// FOCUS: INTELLIGENCE //

End of Briefing Return to The Briefing Room