About us Mō mātou

About the Ministry of Health and the New Zealand health system. 

Regulation & legislation Ngā here me ngā ture

Health providers and products we regulate, and laws we administer.

Strategies & initiatives He rautaki, he tūmahi hou

How we’re working to improve health outcomes for all New Zealanders.

Monitoring & statistics He aroturuki, he tatauranga

Data and insights from our health surveys, research and monitoring.

Māori health Hauora Māori

Increasing access to health services, achieving equity and improving outcomes for Māori.

The Ministry of Health has now completed its review into the Manage My Health cyber security breach.

This review was commissioned following one of the most serious cyber incidents experienced in New Zealand. The breach involved unauthorised access to sensitive clinical and personal health information of over 99,000 individuals across New Zealand. This resulted from multiple weaknesses rather than a single failure. Early in the review process, the Ministry separated the work into two distinct phases to allow urgent technical risks to be identified and acted on quickly, while still enabling a deeper, system-level assessment to follow.

This page provides access to the Manage My Health (MMH) breach report and related supporting information. The report sets out what happened, how the breach occurred, and the steps taken once it was identified. It also explains the impact of the incident and the findings of the independent review, with a focus on transparency and accountability.

Protecting personal health information is critical. The report outlines clear actions needed to strengthen security controls, governance, and oversight to reduce the risk of similar incidents in the future. Work is underway to address these findings, improve system security, and restore public confidence. Updates will be provided as further improvements are implemented.

Please note that some information has been withheld in line with the provisions of the Official Information Act 1982:

  • 9(2)(a) – to protect personal privacy
  • 9(2)(b)(ii) – to protect information that is commercially sensitive
  • 9(2)(ba)(i) – to protect information which is subject to an obligation of confidence
  • 9(2)(g)(i) – to maintain the effective conduct of public affairs through the free and frank expression of opinions
  • 9(2)(f)(iv) – to maintain the confidentiality of advice that is under active consideration
  • 6(c) – to protect the maintenance of the law.

List of documents

1. Letter – Commissioning a Ministry of Health-led Review

Date: 4 January 2026

Minister of Health wrote to the Ministry to commission a review with a specific purpose, noting commencement by 30 January 2026.

2. Letter from Manage My Health CEO to the Minister of Health

Date: 6 January 2026

Letter from Vino Ramayah (CEO, Manage My Health) to the Minister of Health acknowledging the Ministry of Health-led review into the breach

3. Weekly Report excerpts

Date: Various

Contents
DateTitleSummary
9.02.2026Update on Ministry review – Manage My Health cyber security breachInforming Minister of the date and scope of the phase one report, and procurement for phase two.  
23.02.2026Update on Ministry review – Manage My Health cyber security breachInforms Minister of new date for completion of the phase one report.
13.04.2026Progress with the Manage My Health reviewUpdated the Minister on actions post phase one review, progress with phase two, work underway across government and the next steps.

4. Letter – Upholding Information Security Standards

Date: 2 March 2026

Joint letter from the Director-General of Health and Chief Executive of HNZ to the health sector.

5. Letter – Phase 2 review of the Manage My Health

Date: 2 March 2026

Letter from the Director-General of Health to the Chief Executive of HNZ advising on the commencement of phase 2 of the MMH review.

6. Letter – Phase 2 review of the Manage My Health

Date: 5 March 2026

Response from the Chief Executive of HNZ to the Director-General’s letter.

7. Manage My Health interim review and next steps – H2026079338

Date: 11 March 2026

Contents
TitleSummary
Briefing – Manage My Health interim review and next steps – H2026079338Provides the Minister a copy of the interim review and update on next steps.
Appendix 1 – Terms of ReferenceTerms of reference for the Ministry’s review into the MMH cyber security breach
Appendix 2 – Manage My Health Cyber Security Review reportPhase 1 report completed by Bastion
Appendix 3A – Letter from Sir Brian RocheLetter seeking assurance for the Ministry’s arrangements for managing, protecting and overseeing personal information.
Appendix 3B – Response from the Ministry of HealthMinistry’s information provided back to PSC.

8. Preliminary actions post phase one ‘Manage My Health’ review – H2026080142

Date: 20 March 2026

Contents
TitleSummary
Briefing – Preliminary actions post phase one ‘Manage My Health’ review H2026080142Updates the Minister on progress with addressing the urgent recommendations from phase 1 of the review.
Appendix 1 – phase one recommendations and advice   A table of the phase 1 recommendations and actions underway by the Ministry.
Appendix 2 – letters sent from Celia Wellington to portal providers   An example of the letters sent from the Deputy Director-General, Corporate Services, to primary care portal providers assessed through desktop analysis.
Appendix 3 – passive assessment brief prepared by Bastion for MMH   A summary of the key findings and vulnerabilities detected by Bastion for MMH.
Appendix 4 -  MMH Response to Bastion Security Review findings – external working document 17-03-2026Response from MMH to the phase 1 findings and recommendations.

9. Action plan for the Manage My Health Cyber Security Breach Review – H2026081778

Date: 14 May 2026

Contents
TitleSummary
Briefing – Action plan for the Manage My Health Cyber Security Breach Review H2026081778Seeks feedback on the action plan and updates on progress of policy work, both at the Ministry and across government
Appendix 1 – Summary of Review recommendations and Ministry’s action planTable of recommendations, assigned owners, risk rating, timeframes and actions.

10. Public release of ‘Manage My Health’ cyber security breach review – H2026082779

Date: 21 May 2026

Contents
Document typeTitleSummary
BriefingPublic release of ‘Manage My Health’ cyber security breach review H2026082779Seeks agreement to release the public facing review into MMH on Wednesday 27 May supported by a press release and proactive release of supporting information.
ReportAppendix 1: MMH Cyber Security Breach Review Phase 2 – Public ReleaseFinal review for public release.
LetterAppendix 2: Draft letter from Hon Simeon Brown, Minister of HealthLetter from the Minister of Health to Cabinet colleagues to confirm completion of the MMH report
LetterAppendix 3: Draft letter from Acting Director-General of Health to colleaguesLetter from the Acting Director-General to colleagues to confirm completion of the MMH report  
Action planAppendix 4: Ministry of Health’s Action Plan – Responding to the Manage My Health Review RecommendationsOutlines the Ministry’s action plan for responding to the reviews’ recommendations
ReportAppendix 5: MMH Cyber Security Breach Review Phase 2 – fulsomeFulsome review, not for sharing publicly

11. Manage My Health Cyber Security Review Phase 2 – final report

Date: 21 May 2026

Public-facing version of the report of the Manage My Health incident, prepared by CyberCX on behalf of the Ministry of Health.

© Ministry of Health – Manatū Hauora