Learn@IoD
Cart
A white chain with two blue padlocks and one red padlock hanging from it, symbolising security and protection, against a gray background.

IMHO: What the Manage My Health breach reveals about board oversight

A high-profile cyber incident exposed deeper failures in accountability, leadership and organisational responsibility.

author
Frith Tweedie
date
3 Feb 2026

The Manage My Health (MMH) breach brought into sharp focus the damage that can flow from privacy failures. It underscores the importance of robust privacy governance in maintaining trust and provides a lesson to which all New Zealand boards should be paying close attention.

Widely characterised as one of New Zealand’s most serious privacy failures, the MMH breach involved attackers accessing highly sensitive health information. The CEO acknowledged the attackers gained access “through the front door” using a valid password, raising serious questions about basic security and governance practices in an organisation entrusted with deeply personal data.

The information involved included psychiatric records, sexual health details and domestic violence disclosures. The potential impacts go well beyond inconvenience or administrative error, encompassing risks of blackmail, identity misuse and emotional harm. These consequences are likely to endure long after technical remediation is complete.

Not just a health sector issue

It would be a mistake to see this breach as only relevant to the health sector. While health information is especially sensitive, it is not the only type of personal information that can cause harm or reputational damage when mishandled. All organisations hold personal information about staff, and most also hold it about customers, members, suppliers or partners.

Recent breaches illustrate the risks. In addition to MMH, incidents involving Waikato District Health Board, Mediaworks and Latitude Finance have each drawn attention to the respective failures of governance, judgement and oversight. Across the Tasman, the Optus and Medibank breaches have resulted in significant regulatory penalties, litigation and long-term reputational damage.

Beyond cybersecurity

Many privacy failures occur without a cyber incident. Examples include unauthorised staff access to personal information or misuse of data for inappropriate purposes. 

It is also important to understand that privacy is not the same as cybersecurity. While strong security controls are foundational, privacy considerations go further. They include whether collection practices are transparent, fair and proportionate; whether information is retained longer than necessary; whether information is used consistently with the purpose for which it was collected; and whether individuals’ access and correction rights are respected.

This distinction matters for boards. A purely cybersecurity lens risks missing some of the most common and damaging privacy risks. Boards need to ensure they are drawing on the right expertise and not defaulting to a security-only view of privacy governance.

Privacy is a governance issue 

Privacy risk sits alongside other enterprise risks that affect organisational value, trust and social licence. There is also a strong business case for engaging with privacy, to avoid both direct costs, such as breach response and remediation, and to mitigate non-financial impacts such as loss of trust, brand damage and operational disruption.

Good privacy practices also deliver tangible organisational value. When privacy is understood and addressed early, organisations can move faster and with greater confidence, avoiding costly delays later.

Robust privacy governance reduces the likelihood and impact of incidents, which helps support trust in your organisation. For boards, the return on investment is fewer surprises, greater resilience and increased confidence in strategic initiatives.

This is reflected in the Office of the Privacy Commissioner’s Poupou Matatapu guidance, which sets out what “doing privacy well” looks like in practice. The governance pou is explicit about privacy leadership, oversight, accountability and resourcing, including setting the right “tone from the top”.

What should boards be doing?

Boards should reflect on their role in privacy governance and seek clear visibility of their organisation’s most significant privacy risks, not just its cybersecurity posture. 

Many boards are commissioning privacy maturity assessments or privacy health checks to understand current capability and gaps, and management’s approach to privacy resourcing and operations.

Practical questions boards should be asking include:

    • Is privacy embedded into strategy, operations and organisational culture?
    • Are we receiving regular and meaningful reporting on key privacy metrics?
    • Is accountability for privacy clearly assigned at board and senior leadership level?
    • Is the privacy function adequately resourced and positioned to influence?
    • Do our external privacy commitments align with actual practices?
    • How are third-party and service-provider risks identified and managed?

 

Is it time for stronger regulation?

There is growing discussion about whether New Zealand’s privacy regime should evolve toward stronger penalties and enforcement tools to protect Kiwis’ personal information in line with privacy law reform overseas. 

Regulatory penalties can be a powerful driver of behaviour. We often see a stark difference in how organisations approach privacy risk when operating under Australian or European privacy regimes, where penalties are materially higher than those in New Zealand. 

Activities that are sometimes regarded as acceptable risk locally take on a very different significance when confronted with the prospect of substantial fines for the same conduct offshore. 

Justice Minister Hon Paul Goldsmith has stated he will be “taking advice on possible updates to the Privacy Act”. While the timing and scope of any reform remains uncertain, international experience shows stronger penalties sharpen board and executive focus on privacy risk and elevate it within governance conversations. 

Boards would be unwise to wait for legislative change before acting. Organisations that treat privacy as a strategic risk now will be better placed to manage scrutiny, protect trust and avoid the disruption that comes from being forced to respond under pressure.

Key takeaways for directors

The Manage My Health breach is a reminder that significant privacy failures are rarely just technical incidents. They are governance failures, exposing gaps in oversight, decision-making and organisational focus. 

Ultimately, privacy governance is about protecting enterprise value by protecting people. Boards set the tone for that approach.

Frith Tweedie is a Partner at Simply Privacy, where she helps clients build strong privacy and responsible AI practices. A former lawyer, she has more than 20 years’ experience advising on privacy, technology and intellectual property law. She was previously General Counsel and Chief Privacy Officer at a New Zealand technology company and Head of Digital Law for Australia and New Zealand for EY Law. She serves on the Government Chief Digital Officer’s AI Expert Advisory Panel and the global advisory board of the International Association of Privacy Professionals’ AI Governance Center. 

Related content