Our Take
This is not a vendor failure alone—it's a procurement and governance failure by the health authority that outsourced patient data to an inadequately vetted third party without contractual teeth or on-site security validation.
Why it matters
Health systems globally are moving sensitive records into third-party portals without equivalent diligence. New Zealand's Privacy Commissioner and Ministry of Health are now signaling that individual providers cannot be trusted to vet their own vendors, which will force regulatory intervention.
Do this week
Health IT procurement teams: audit your third-party health portal contracts this week and confirm that multifactor authentication is mandatory (not optional), that incident response SLAs are defined, and that you have direct contractual rights to security audits before go-live.
Te Whatu Ora Failed to Vet Manage My Health Before Data Exposure
New Zealand's Privacy Commissioner has formally found that Te Whatu Ora Health New Zealand and Manage My Health Limited breached the Health Information Privacy Code over a December cyberattack affecting approximately 99,416 patients (per the Office of the Privacy Commissioner). The incident is described as one of New Zealand's largest known breaches of sensitive personal information.
The attack exploited stolen patient credentials to access and copy documents from thousands of accounts within the My Health Documents module of the Manage My Health portal. Attackers gained access to patient-uploaded documents, hospital discharge summaries, and personal identifiers including names, dates of birth, NHI numbers, addresses, email addresses, and phone numbers. Around 91% of affected patients were in Northland, where Te Whatu Ora had a unique arrangement with Manage My Health to make hospital records available through the portal.
The Privacy Commissioner's inquiry found the breach was not caused by a single failure but by a combination of preventable gaps. Multifactor authentication was available on the platform but remained optional. Web security and identity and access management controls were "not sufficiently effective." Manage My Health's own systems failed to detect the breach; the company only learned of it after Te Whatu Ora raised the alarm.
Te Whatu Ora's Governance Failures
The Privacy Commissioner found that Te Whatu Ora failed to meet "very strong standards" of due diligence and risk management required for a novel, large-scale arrangement. Gaps included incomplete privacy risk assessments, inadequate contract drafting, weak project governance, and apparent overreliance on assurances from Manage My Health. No direct privacy or security representative sat on the project steering group. The contracts between the two organisations were "not fit for purpose and did not contain appropriate protections for patient information."
Manage My Health has since implemented mandatory multifactor authentication, fixed the vulnerability exploited in the attack, and updated contracts and policies. However, the Privacy Commissioner has not independently validated those fixes.
A separate Ministry of Health review, released days after the Privacy Commissioner's report, called the breach "largely preventable" and identified significant security control gaps and application security risks that had not been fully addressed before the incident.
The Real Problem: No Central Vendor Security Oversight
The Privacy Commissioner's core finding cuts deeper than one portal operator's failures. The inquiry revealed that health sector suppliers, including patient portal providers, face no centralised verification of their security standards. Individual GPs and health providers must assess vendors on their own, effectively leaving vendor vetting to luck.
Te Whatu Ora's mistake was not technical incompetence but structural: the health authority outsourced sensitive data to a third party without contractual leverage, without direct security oversight, and without governance representation from privacy and security experts. The Privacy Commissioner is now recommending that the Ministry of Health establish a centralised, ongoing programme to verify the security of key health sector vendors rather than leaving each provider to evaluate suppliers independently.
The commissioner also recommended that the Ministry of Justice seek amendments to the Privacy Act to make third-party service providers directly liable for reasonable security safeguards, not just the organisations that hire them. This signals a shift toward vendor accountability rather than relying on procurement diligence alone.
What Health IT Procurement Must Do Now
The Privacy Commissioner's findings expose a gap in how health organisations structure third-party vendor agreements. Procurement teams must stop treating security as optional or delegated to the vendor's assurances. Contracts must mandate multifactor authentication, define incident response timelines with teeth, and grant the health organisation direct rights to request security audits and penetration testing before go-live and on a scheduled basis thereafter.
Te Whatu Ora is now pulling patient data out of the Manage My Health portal and reverting to paper discharge summaries. That is not a fix—it is an admission that the digital arrangement was not secure enough to operate under the conditions agreed. Other health systems using similar third-party portals should conduct a parallel audit of their vendor contracts and security controls now, before they face a similar breach inquiry.
The Privacy Commissioner has signaled that compliance notices requiring both organisations to demonstrate remediation are forthcoming. A second phase of the inquiry will examine patient consent, data retention, deletion practices, and breach notification compliance. More enforcement is coming.