Skip to content

ManageMyHealth was not managed

Contradictory breach emails, slow notification, and an AU product on the same platform. How to read health-data incident comms.

ManageMyHealth was not managed. The response was nowhere good enough. The laws look inadequate. And the Australian version still boasts being built on the same platform.

On 30 December 2025, Manage My Health identified unauthorised access to a feature of its New Zealand patient portal. The Office of the Privacy Commissioner was notified that sensitive health information of thousands of users was involved. See also the public notice and Wikipedia summary.

I'm reading the customer email and I still can't figure it out.

ManageMyHealth breach email excerpt
Customer email says module-only access, then asks for a password change.

How to read a contradictory breach email

Further investigations have identified that one module within the Manage My Health app, referred to as Health Documents, was compromised by a third party. This allowed a third party to access and download the documents within that module. The third party did not gain access to the whole app.

OK. If they didn't get the whole app, and could "only" access health documents, maybe it wasn't full account takeover - just the Health Documents module.

We've added extra checks when people log in and limited how many times someone can try to access the system in a short time.

Wait. So is this the account or not the account?

The third party did not gain access to the whole app.

OK, maybe not the account.

Recommended Security Steps: Change your password if you haven't done so recently.

Wait, what?

All health documents have been re-secured, and their storage has been strengthened.

Whatever "re-secured" means.

Enable Multi-Factor Authentication (MFA) for added protection.

Good to know that this is finally an option.

What this actually tells you

  • The service was affected by serious vulnerabilities
  • Incident response and notification timing look insufficient relative to what people expect for health data
  • "Re-secured" without an independent assessment is marketing, not assurance
  • The NZ Privacy Act and Health Information Privacy Code are being stress-tested by incidents like this

Also, from the About page on the AU version of Manage My Health: built on a platform used by over 1.85 million New Zealanders and used by many health centres in Australia. I hope the Office of the Australian Information Commissioner has started asking hard questions already.

If you are a board or a clinic using a patient portal: treat vendor breach emails as evidence to interrogate, not as closure. Ask what was accessed, how authentication failed, what independent review is underway, and whether MFA was optional until after the fact.

Find this on LinkedIn and give it a thumbs up: ManageMyHealth was not managed

Olivier Reuland