The Context
A cybercriminal group called “Kazu” accessed the ‘My Health Documents’ module of the ManageMyHealth platform in late December 2025. They stole over 400,000 sensitive health documents—referrals, test results, discharge summaries—and demanded a US$60,000 ransom. The breach was publicly announced on 1 January 2026. It directly impacted between 108,000 and 126,000 patients, with a disproportionate effect on 45 Northland GP practices. Health New Zealand is the data controller for that region; ManageMyHealth is the processor. The Minister of Health commissioned an urgent review on 5 January. The High Court has issued interim injunctions to try and contain the spread, but the data is out there.
The Risk
This is not an IT problem. It is a leadership crisis. The ‘Court of Public Opinion’ is now in session, and the verdict is a catastrophic erosion of patient trust. For a director, the personal liability is twofold. First, the systemic failure in access controls may indicate a breach of duty under the Companies Act 1993. Did the board adequately oversee the cyber-risk posed by a critical third-party processor? Second, the Privacy Act 2020 obligations are clear. A failure to protect such intimate data can trigger investigations, reputational ruin, and significant fines. But the real penalty is brand erosion. You are now the board that presided over the leak of a community’s most private health information. That stain does not wash off with a press release.
The Control
Your immediate strategy must shift from containment to restoration. Stop managing the incident and start leading the recovery. This means transparent, compassionate, and continuous communication with affected patients. It means personally owning the ministerial review process, not delegating it to legal. You must demonstrate that the board understands this is a human crisis, not just a data one. The governance failure was in treating patient trust as an IT asset to be secured, rather than the core of your social licence to operate. Rebuild that, or there is no business to govern.
The Challenge
These are the critical questions you should be raising at the board table:
| Beyond the technical ‘gaps’, what was the specific governance failure in our oversight of ManageMyHealth’s access controls, and who on this board was accountable for that relationship? | |
| Our crisis response has been legal and technical. Where is our concrete, funded plan to address the psychosocial harm and restore trust with the 45 Northland practices and their patients? | |
| The ministerial review will dissect our actions. What is our board’s unified narrative that proves we met our duty of care, and what evidence are we preparing to support it? |