Peter Stone5d ago

@biddy_sue @felix @kyhwana @ThisCJ @oseiler

Privacy Commissioner's response to ManageMyHealth breach: A masterclass in looking busy while doing nothing
Timeline:

29 Dec 2025: ManageMyHealth breach detected (108K-126K users affected)
21 Jan 2026: Privacy Commissioner announces inquiry
31 Mar 2026, 16:30: Privacy Commissioner sends email (effective 1 Apr - <24hrs notice)

What the email says:

Enquiries email address closing 1 April
All complaint actions PAUSED until inquiry completes (no timeline given)
To complain, you must FIRST:
• Contact ManageMyHealth (who didn't respond to my 3 emails)
• Contact Te Whatu Ora
• Contact your GP
• Provide documentary evidence of all attempts
• Prove you gave them "reasonable chance to respond"
Must demonstrate individual harm (not "general concerns about the breach")

The Catch-22:

Data not breached? = No individual harm = "general concerns" = not actionable
Data was breached? = Must exhaust remedies with organisations that failed to protect you first
Either way? = Complaint action paused indefinitely anyway

What this reveals:
The Privacy Commissioner is conducting an inquiry (looks like action) while making individual complaints nearly impossible (avoids making findings against government agencies/contractors).
Independent security analysis showed ManageMyHealth had:

DMARC set to monitoring only (anyone could spoof their domain)
Weak 1024-bit DKIM keys (not industry standard 2048-bit)
Zero DNSSEC protection across 19 subdomains
Misconfigured email transport security

These are basic infrastructure failures, known best practices for over a decade.
But apparently that's a "general concern" not worth the Privacy Commissioner's time.
Sent at 16:30 on 31 March, effective 1 April. You were meant to miss it.

#NZPol #Privacy #DataBreach #ManageMyHealth #PrivacyCommissioner #Accountability

Alistair K6d ago

Got another evasive e-mail from #managemyhealth, who appear unwilling to tell me what of my personal information they hold. Or, more likely, not intelligent enough to understand that I want a list, not directions to mess around with their website.

Forwarded to Privacy Commission as an addendum to my complaint, qua evidence of continuing to drag heels in poor faith.

GuyFeb 24

Yikes!

https://www.stuff.co.nz/nz-news/360942689/major-nz-health-app-breach-alive-patients-marked-deceased-names-changed-charlie-kirk

> An apparent hack of medication platform MediMap has led to some alive patients being marked as deceased, and others labelled as ‘Charlie Kirk’.

> The digital medication management platform MediMap widely used across New Zealand remains offline after some records were found to have been “incorrectly modified”.

Another day, another #NZ #Aotearoa health system breach ...

#breach #privacy #ManageMyHealth

Stuff

Show threadPeter StoneFeb 11

@biddy_sue @felix @kyhwana @ThisCJ @oseiler @kyhwana

I received a reply from the Office of the Privacy Commissioner today — largely procedural. It feels like quiet discouragement from pursuing the matter. Shame I am not wired that way. 😂

I replied with compiled evidence of:
• Process compliance (complaints lodged with both organisations the same day as OPC)
• Good-faith patience (5+ weeks allowed)
• Documented non-response (no substantive technical answers)

I have asked the OPC to confirm my complaint is formally registered and considered for investigation. 😎

It should not require this level of persistence to trigger accountability — but here we are. Perhaps I am stubborn? 🤔

#ManageMyHealth #databreach

zl2todFeb 1

Information security in New Zealand's health system is like a Jenga tower according to Adam Burns of BlackVeil who profiled all relevant domains for misconfiguration following the catastrophic #ManageMyHealth data breach.

https://www.stuff.co.nz/nz-news/360932663/jenga-tower-why-nzs-health-cyber-security-leaving-patients-exposed-expert

zl2todJan 26

@Firesphere

There's been a trickle of news about #ManageMyHealth, perhaps most significantly that the Privacy Commissioner is to do an inquiry:

https://www.nzdoctor.co.nz/article/news/privacy-commissioner-announces-inquiry-health-hacking-scandal

Privacy commissioner announces inquiry into health hacking scandal

<p>Privacy commissioner Michael Webster will conduct an inquiry into the Manage My Health cyberattack to investigate privacy issues involved and whether appropriate safeguards were in place</p>

New Zealand Doctor
bananabob  🇺🇦 🇵🇸Jan 22

Manage My Health data breach: Fraudsters attempting to contact customers

https://www.rnz.co.nz/news/national/584745/manage-my-health-data-breach-fraudsters-attempting-to-contact-customers

#RNZ #NZ #ManageMyHealth #Fraud #Spam #Phishing

Manage My Health data breach: Fraudsters attempting to contact customers

The organisation said customers may receive spam or phishing emails impersonating Manage My Health.

RNZ
Bob LeFridge  Jan 22

I suppose it's good to warn hack victims of potential exploits involving their data, but this PR from ManageMyHealth seems entirely speculative. The asterisks are mine.

"... fraudsters *could* now be attempting to contact its customers..."

"... people *might* now be sending spam or phishing emails that impersonate the company..."

"... secondary actors *may* impersonate MMH..."

More worrying is MMH saying it's "notified *most* of the people affected by the data breach" when it's been over three weeks since the hack was announced.

https://www.rnz.co.nz/news/national/584745/manage-my-health-data-breach-fraudsters-attempting-to-contact-customers

#ManageMyHealth #Privacy #NZ

Manage My Health data breach: Fraudsters attempting to contact customers

The organisation said customers may receive spam or phishing emails impersonating Manage My Health.

RNZ
Show threadPeter StoneJan 21

@biddy_sue @felix @kyhwana @ThisCJ
Here are some thoughts on the recent #managemyhealth announcement in Stuff today https://www.stuff.co.nz/nz-news/360927765/privacy-commissioner-launches-inquiry-manage-my-health-data-breach

Typically the Government's review focuses on response to the incident, not on why a privately-run patient portal handling sensitive health data had such poor security infrastructure in the first place.
That's classic bureaucratic risk avoidance: review the incident response (which they can control going forward) rather than the procurement/oversight decisions (which might expose systemic failures in how Health NZ contracts with private health IT providers).

The Privacy Commissioner inquiry is the mechanism that might actually examine whether the SPF/DMARC/DKIM/DNSSEC gaps identified constituted adequate security safeguards. The inquiry will determine whether appropriate security safeguards were in place and, if not, why not, plus what steps will prevent recurrence.

Have to wait for the Terms of reference due 28 January. That we tell us how serious this inquiry actually is.

Stuff

Show threadKay   Jan 21

@libroraptor NZ Privacy Commissioner announces inquiry into #ManageMyHealth #DataBreach and #privacy issues. Inquiry will also look at what steps will be taken to prevent such an incident happening again.

IMHO that should also include legal and policy settings and what actions by NZ Government and #HealthNZ are needed.
#NZpol
https://www.rnz.co.nz/news/national/584627/privacy-commissioner-announces-inquiry-into-manage-my-health-cybersecurity-breach

Privacy Commissioner announces inquiry into Manage My Health cybersecurity breach

The Privacy Commissioner says it is clear an investigation is needed given the scale of the incident.

RNZ