Recent breaches in Aotearoa: what they mean for New Zealand organisations 

Within the first few days of 2026, we were reminded that cyber security isn’t a distant risk. The breach affecting the Manage My Health patient portal, one of the most widely used platforms in Aotearoa, is among the most significant privacy incidents New Zealand has seen. 

Hackers gained unauthorised access to sensitive health information, potentially affecting more than 100,000 people, and threatened to release stolen data online. 

The scale and sensitivity of the information involved understandably caused concern across the health sector and beyond. But the implications reach well outside healthcare. Incidents like this highlight broader questions about resilience, governance and how prepared organisations are when something does go wrong. 

Cyber incidents now affect organisations of every size and sector 

For many businesses, the risk is no longer if, but when. The impact can extend beyond systems and data to include operational disruption, regulatory scrutiny, reputational damage and loss of trust. 

The National Cyber Security Centre (NCSC) regularly emphasises that reporting incidents early and preparing for response is critical, both for individual organisations and for the wider ecosystem. In other words, resilience matters just as much as prevention. 

What the Manage My Health breach highlights for other organisations 

While investigations are ongoing, a few themes are already clear: 

1. Third-party platforms are part of your risk surface 
   Many organisations rely on external platforms and software providers. The Manage My Health breach shows how data held within a connected system can still have significant downstream impacts for partner organisations and customers. 

2. Sensitive data carries high stakes 
   Health information is among the most sensitive data any organisation can hold. But even outside healthcare, businesses manage financial, identity and personal information that can cause real harm if exposed. 

3. Communication matters 
   How organisations respond publicly to an incident – how quickly they communicate, how transparent they are, how they support affected users – has a major influence on trust and reputation. The NCSC has guidance specifically on communicating during cyber incidents. 

4. Governance and oversight are under the microscope 
   Major breaches often lead to reviews of systems, processes and accountability. In the case of Manage My Health, a formal inquiry has been launched to examine what happened and what needs to change. It’s important to acknowledge that cyber security is no longer just an IT issue, but a governance and leadership issue (we recently shared more about trust, tech and sustainability in the boardroom following the Institute of Directors’ 2025 Leadership Conference). This aligns with recent commentary questioning whether Aotearoa treats data breaches with the level of seriousness they warrant, particularly at board, executive and governmental level, so that private sector is treated with the same rigour as public sector entities. When oversight structures lag behind the reality of risk, incidents become more likely and consequences more severe.  

What organisations in Aotearoa should be thinking about now 

No business or platform is immune to attack, but there are practical steps you can take as an organisation to reduce risk and improve readiness. 

• Know what you hold and why 
  Understand the data you collect, where it sits, who can access it and whether you still need it. Minimising unnecessary data reduces exposure. 

• Strengthen incident response capability 
  The NCSC encourages organisations to have clear incident response plans, defined roles and regular exercises. Being prepared can significantly reduce the impact of a breach. That includes knowing: 
  - who leads the response 
  - how systems are isolated 
  - how stakeholders are informed 
  - when and how to report externally  

• Report incidents early 
  Local organisations can report cyber incidents directly to NCSC, which can provide advice and help coordinate a response. Reporting also helps to build a clearer national picture of threats. 

• Treat cyber resilience as ongoing work 
  Effective security isn’t a one-off project but a continuous, evolving process across governance, protection, detection, response and recovery. That means regular review of: 
  - access controls 
  - patching and updates 
  - staff training and awareness 
  - supplier risk 
  - backup and recovery processes  

• Consider investing in Cyber Insurance 
  Even when you do all of the right things, breaches can occur. Cyber insurance provides not just peace of mind to minimise the financial impact, but specialised resources for incident response, recovery, and communication. 

Your response could define how customers trust you going forward 

Incidents like the Manage My Health breach are confronting, particularly when they involve personal, sensitive data. But they also reinforce an important reality: strong cyber practices are part of modern organisational stewardship. 

Customers, partners and regulators increasingly expect transparency, preparedness and accountability. Now is a good time to sense-check resilience, review incident plans and make sure cyber security is being discussed at leadership level, not just in IT teams. 

We work with organisations to build practical, people-first security foundations that protect your business without slowing you down.  

Our approach to cyber security is grounded, clear and made for the real world. We help you understand your risk, put the right controls in place, and improve security over time. From risk assessments and security baseline checks to training and incident response planning, we support you to build a safer digital environment that works for everyone.  

If you’ve realised that security needs tightening in your organisation, reach out to us to book a call.