The Ministry of Health has now completed its review into the Manage My Health cyber security breach.
This review was commissioned following one of the most serious cyber incidents experienced in New Zealand. The breach involved unauthorised access to sensitive clinical and personal health information of over 99,000 individuals across New Zealand. This resulted from multiple weaknesses rather than a single failure. Early in the review process, the Ministry separated the work into two distinct phases to allow urgent technical risks to be identified and acted on quickly, while still enabling a deeper, system-level assessment to follow.
This page provides access to the Manage My Health (MMH) breach report and related supporting information. The report sets out what happened, how the breach occurred, and the steps taken once it was identified. It also explains the impact of the incident and the findings of the independent review, with a focus on transparency and accountability.
Protecting personal health information is critical. The report outlines clear actions needed to strengthen security controls, governance, and oversight to reduce the risk of similar incidents in the future. Work is underway to address these findings, improve system security, and restore public confidence. Updates will be provided as further improvements are implemented.
Please note that some information has been withheld in line with the provisions of the Official Information Act 1982:
- 9(2)(a) – to protect personal privacy
- 9(2)(b)(ii) – to protect information that is commercially sensitive
- 9(2)(ba)(i) – to protect information which is subject to an obligation of confidence
- 9(2)(g)(i) – to maintain the effective conduct of public affairs through the free and frank expression of opinions
- 9(2)(f)(iv) – to maintain the confidentiality of advice that is under active consideration
- 6(c) – to protect the maintenance of the law.
List of documents
-
…
1. Letter – Commissioning a Ministry of Health-led Review
Date: 4 January 2026
Minister of Health wrote to the Ministry to commission a review with a specific purpose, noting commencement by 30 January 2026.
2. Letter from Manage My Health CEO to the Minister of Health
Date: 6 January 2026
Letter from Vino Ramayah (CEO, Manage My Health) to the Minister of Health acknowledging the Ministry of Health-led review into the breach
3. Weekly Report excerpts
Date: Various
| Date | Title | Summary |
|---|---|---|
| 9.02.2026 | Update on Ministry review – Manage My Health cyber security breach | Informing Minister of the date and scope of the phase one report, and procurement for phase two. |
| 23.02.2026 | Update on Ministry review – Manage My Health cyber security breach | Informs Minister of new date for completion of the phase one report. |
| 13.04.2026 | Progress with the Manage My Health review | Updated the Minister on actions post phase one review, progress with phase two, work underway across government and the next steps. |
4. Letter – Upholding Information Security Standards
Date: 2 March 2026
Joint letter from the Director-General of Health and Chief Executive of HNZ to the health sector.
5. Letter – Phase 2 review of the Manage My Health
Date: 2 March 2026
Letter from the Director-General of Health to the Chief Executive of HNZ advising on the commencement of phase 2 of the MMH review.
6. Letter – Phase 2 review of the Manage My Health
Date: 5 March 2026
Response from the Chief Executive of HNZ to the Director-General’s letter.
7. Manage My Health interim review and next steps – H2026079338
Date: 11 March 2026
| Title | Summary |
|---|---|
| Briefing – Manage My Health interim review and next steps – H2026079338 | Provides the Minister a copy of the interim review and update on next steps. |
| Appendix 1 – Terms of Reference | Terms of reference for the Ministry’s review into the MMH cyber security breach |
| Appendix 2 – Manage My Health Cyber Security Review report | Phase 1 report completed by Bastion |
| Appendix 3A – Letter from Sir Brian Roche | Letter seeking assurance for the Ministry’s arrangements for managing, protecting and overseeing personal information. |
| Appendix 3B – Response from the Ministry of Health | Ministry’s information provided back to PSC. |
8. Preliminary actions post phase one ‘Manage My Health’ review – H2026080142
Date: 20 March 2026
| Title | Summary |
|---|---|
| Briefing – Preliminary actions post phase one ‘Manage My Health’ review H2026080142 | Updates the Minister on progress with addressing the urgent recommendations from phase 1 of the review. |
| Appendix 1 – phase one recommendations and advice | A table of the phase 1 recommendations and actions underway by the Ministry. |
| Appendix 2 – letters sent from Celia Wellington to portal providers | An example of the letters sent from the Deputy Director-General, Corporate Services, to primary care portal providers assessed through desktop analysis. |
| Appendix 3 – passive assessment brief prepared by Bastion for MMH | A summary of the key findings and vulnerabilities detected by Bastion for MMH. |
| Appendix 4 - MMH Response to Bastion Security Review findings – external working document 17-03-2026 | Response from MMH to the phase 1 findings and recommendations. |
9. Action plan for the Manage My Health Cyber Security Breach Review – H2026081778
Date: 14 May 2026
| Title | Summary |
|---|---|
| Briefing – Action plan for the Manage My Health Cyber Security Breach Review H2026081778 | Seeks feedback on the action plan and updates on progress of policy work, both at the Ministry and across government |
| Appendix 1 – Summary of Review recommendations and Ministry’s action plan | Table of recommendations, assigned owners, risk rating, timeframes and actions. |
10. Public release of ‘Manage My Health’ cyber security breach review – H2026082779
Date: 21 May 2026
| Document type | Title | Summary |
|---|---|---|
| Briefing | Public release of ‘Manage My Health’ cyber security breach review H2026082779 | Seeks agreement to release the public facing review into MMH on Wednesday 27 May supported by a press release and proactive release of supporting information. |
| Report | Appendix 1: MMH Cyber Security Breach Review Phase 2 – Public Release | Final review for public release. |
| Letter | Appendix 2: Draft letter from Hon Simeon Brown, Minister of Health | Letter from the Minister of Health to Cabinet colleagues to confirm completion of the MMH report |
| Letter | Appendix 3: Draft letter from Acting Director-General of Health to colleagues | Letter from the Acting Director-General to colleagues to confirm completion of the MMH report |
| Action plan | Appendix 4: Ministry of Health’s Action Plan – Responding to the Manage My Health Review Recommendations | Outlines the Ministry’s action plan for responding to the reviews’ recommendations |
| Report | Appendix 5: MMH Cyber Security Breach Review Phase 2 – fulsome | Fulsome review, not for sharing publicly |
11. Manage My Health Cyber Security Review Phase 2 – final report
Date: 21 May 2026
Public-facing version of the report of the Manage My Health incident, prepared by CyberCX on behalf of the Ministry of Health.