Trust: The First Casualty | Red Scribble Consultants

The Context

Between 108,000 and 126,000 New Zealanders had their private health documents exposed. The breach in the ManageMyHealth app’s ‘Health Documents’ module was confirmed in the first days of January 2026. The technical flaw is now patched. The real damage is just beginning. The Public Service Association has framed this as a direct consequence of government IT workforce cuts, calling it a “ticking time bomb.” The Minister of Health has signalled an independent review. The public narrative is already set: systemic failure.

The Risk

Your personal risk is not in the code. It’s in the court of public opinion and the subsequent regulatory glare. When a critical public service fails, the board’s oversight is the first thing scrutinised. The Privacy Act 2020 mandates protection of personal information. A breach of this scale may indicate a failure of the governance duty to ensure adequate systems and resources. The Minister’s call for a review is a warning shot. It will examine decisions, resourcing, and priorities. If that review finds wilful blindness to known IT vulnerabilities—perhaps amid cost-cutting—the line from operational failure to a potential breach of director duty under the Companies Act 1993 shortens dramatically. Your reputation, and the organisation’s social licence, are haemorrhaging with every headline.

The Control

Move from a technical response to a leadership one. The patch is IT’s job. Restoring trust is yours. You must visibly own the crisis narrative. Commission the independent review before it’s forced upon you. Engage transparently with affected individuals—not with legalese, but with humanity. Audit your governance of third-party digital providers. Treat public data as a sacred asset, not a line item.

The Challenge

These are the critical questions you should be raising at the board table:

Beyond the technical fix, what is our concrete, board-led plan to rebuild public trust, and how are we measuring its effectiveness?

When did the board last review the resourcing and risk profile of our core IT security functions, and what assurances did we receive that it was sufficient?

What is our proactive strategy to engage with the pending independent review to ensure it examines systemic governance, not just technical failure?

// FOCUS: INTELLIGENCE //

End of Briefing Return to The Briefing Room