**NZ's Health Data Hack Needs a Proper Diagnosis – and a Transparent Treatment Plan**

The recent cyber hacks targeting New Zealand's digital health systems have left the public reeling, with over 127,000 patients affected by the breach at Manage My Health (MMH). The incident has raised fundamental questions about data security, accountability, and transparency. While the government has announced a review of the situation, it is imperative that we get to the root of this problem and implement effective solutions.

Manage My Health, a patient portal used by many general practices to share test results, prescriptions, and messages, was hacked on December 30. The breach was limited to its "Health Documents / My Health Documents" module, but the incident has sparked widespread concern about data security in New Zealand's health sector. The Office of the Privacy Commissioner confirmed it was notified on January 1 and later published guidance for those affected.

While MMH has obtained urgent High Court injunctions to restrain the use or publication of stolen data, the investigation into the breach is ongoing. In its decision, the court described activity patterns consistent with automation, including unusually high-frequency behavior and repeated access attempts. However, this does not establish which specific technical control failed – or where responsibility ultimately lies.

The recent breach at Canopy Health has also come to light, revealing that unauthorized access was made to parts of its administrative systems six months ago. The patients affected were only notified this week, highlighting the importance of timely and transparent communication in the wake of a data breach.

The way breaches are framed is crucial in shaping the response. While some may label the MMH incident as "cyberterrorism," this term has a specific and contested meaning. According to security scholar Dorothy Denning's widely-cited definition, cyberterrorism refers to attacks intended to coerce or intimidate in pursuit of political goals, causing severe harm – not financially motivated intrusions or large-scale data theft alone.

The label matters because it influences how problems are framed, solutions are prioritized, and questions are ultimately sidelined. In this case, framing the breach as "cyberterror" can lead to a focus on speed over evidence, with dramatic reassurance taking precedence over careful diagnosis. This can result in "security theatre," where visible but poorly targeted measures are implemented without reducing risk.

Research on cyber-threat politics shows that threat narratives shape which problems receive funding and attention. In this case, the government's response has centered on commissioning a review, with Health Minister Simeon Brown framing MMH as a privately operated portal used by some general practices. However, this approach creates an immediate transparency problem.

For a transparent and effective treatment plan to be implemented, it is essential that the terms of reference and independence are explicit. The review needs a clear method, a boundary between facts and assumptions, and a public explanation of what evidence will be examined. An obvious starting point is clarifying who holds the data and who is accountable.

MMH's privacy statement and terms of use outline how information is made available through the portal and the responsibilities of users. However, public sources do not fully set out the underlying hosting arrangements, the role of subcontractors, or how responsibility is allocated between different parties. Without a clear "data custody chain," accountability becomes diffuse.

Preventing a repeat of the MMH breach really depends on controls that operate at system level and can be independently audited. First, portal operators should maintain a credible vulnerability-disclosure program that publicly sets out how security issues can be reported, responded to, and tracked. Second, independent testing must be anchored to explicit standards, not general assurances that a system has been externally checked.

Finally, communication should be treated as part of security. Clear, consistent notifications reduce confusion and with it the opportunity for scammers to impersonate security. In the fallout of this debacle, what matters most now is seeing evidence of improvements across the system – not just within a single portal but also across the wider health sector.

For people affected by the breach, the immediate priority is to follow official guidance and remain cautious about phishing or impersonation attempts. The government's advice on Own Your Online is a sensible starting point. However, it is crucial that we move beyond advice and implement concrete solutions to prevent similar breaches in the future.

**What needs to be done:**

* Clarify who holds the data and who is accountable * Implement a credible vulnerability-disclosure program * Anchor independent testing to explicit standards * Ensure governance has teeth, with procurement contracts requiring proof of basic controls and clear timelines for responding to incidents and preserving evidence * Treat communication as part of security, with clear and consistent notifications

**What's next:**

* The government's review needs a transparent method, a clear boundary between facts and assumptions, and a public explanation of what evidence will be examined * We need to see evidence of improvements across the system – not just within a single portal but also across the wider health sector