Listen to Simply Privacy partner Frith Tweedie speaking with Jesse Mulligan on RNZ Afternoons about the Manage My Health privacy breach and the Privacy Commissioner’s recent inquiry findings.
The discussion explores why this was not simply a cyber security incident or “hack”, but a broader failure of governance, oversight and accountability. While the Privacy Commissioner’s report identified technical security weaknesses within Manage My Health itself, it also found significant shortcomings in Health NZ’s approach to privacy governance, due diligence, risk assessment and vendor oversight.
The findings raise important questions for boards and senior leaders. The Privacy Commissioner’s report illustrates how privacy failures often begin long before a breach occurs, through inadequate governance, weak oversight and an over-reliance on vendor assurances. Boards do not need to be technical experts, but they do need sufficient visibility of privacy and cyber risks to provide effective challenge and assurance. You can read more about the governance lessons for boards and executives in our earlier article on the Manage My Health privacy breach, first published by the Institute of Directors in February 2026.
The RNZ conversation also examines the real-world impacts of privacy breaches. Beyond the risk of identity theft, affected individuals reported anxiety, distress, concerns about family violence situations and reduced trust in digital health services.
Finally, the interview discusses the Privacy Commissioner’s recommendation to make third-party providers directly liable for protecting the personal information they process on behalf of customers and what this could mean for future reform of New Zealand’s Privacy Act. See our more detailed look at this issue here.
Listen to the full interview about the Manage My Health privacy breach on RNZ here.