New Zealand Faces Major Health Data Breaches as Privacy Act Falls Behind Global Standards
In late 2025, New Zealand experienced two significant cyberattacks targeting healthcare systems, exposing critical gaps in the country’s privacy protections. The first breach involved Manage My Health (MMH), a patient portal used by public health organizations, where ransomware attackers accessed and exfiltrated medical records of approximately 120,000 patients, threatening to leak them on the dark web. Weeks later, on February 22, 2026, MediMap a portal used by aged-care homes, hospices, and disability services was taken offline after unauthorized actors tampered with patient records, including altering names, birthdates, and even marking living patients as "deceased."
These incidents, among the most severe in New Zealand’s history, have intensified scrutiny of the Privacy Act 2020, which critics argue lacks sufficient enforcement mechanisms. Unlike global counterparts such as the EU’s GDPR or Australia’s Privacy Act, New Zealand’s law imposes no civil penalties for breaches of core privacy principles, such as failing to secure personal data. The only financial consequences up to NZD10,000 apply to failures to notify the Privacy Commissioner of a breach, while damages awarded through the Human Rights Review Tribunal (capped at NZD350,000) require proof of harm and a lengthy judicial process.
The Office of the Privacy Commissioner (OPC) reported a 43% increase in serious breach notifications in its 2024-25 annual report, underscoring the urgency for reform. Without stronger penalties, privacy risks losing priority to other corporate concerns, leaving New Zealanders vulnerable. The breaches also raise concerns about the country’s EU adequacy status, which could be jeopardized if privacy protections fail to meet international standards.
In response, Prime Minister Christopher Luxon acknowledged the need to strengthen cybersecurity laws, coinciding with the release of New Zealand’s Cyber Security Strategy 2026-2030 on February 27, 2026. The accompanying Action Plan 2026-2027 tasks the Ministry of Justice with exploring civil penalties for privacy violations and a potential new offense for mishandling illegally obtained data. While some organizations argue they already prioritize privacy, the recent breaches suggest systemic vulnerabilities reinforcing calls for legislative reform to align with global best practices.
MediMap cybersecurity rating report: https://www.rankiteo.com/company/medi-map
"id": "MED1772728377",
"linkid": "medi-map",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '120,000 patients',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Manage My Health (MMH)',
'type': 'Patient Portal'},
{'industry': 'Healthcare (Aged-care, Hospices, '
'Disability Services)',
'location': 'New Zealand',
'name': 'MediMap',
'type': 'Patient Portal'}],
'data_breach': {'data_exfiltration': 'Yes (MMH)',
'number_of_records_exposed': '120,000 (MMH)',
'personally_identifiable_information': 'Yes (Names, '
'birthdates, medical '
'records)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Medical records',
'Patient personal information']},
'date_detected': '2025',
'date_publicly_disclosed': '2026-02-22',
'description': 'New Zealand experienced two significant cyberattacks '
'targeting healthcare systems, exposing critical gaps in the '
'country’s privacy protections. The first breach involved '
'Manage My Health (MMH), where ransomware attackers accessed '
'and exfiltrated medical records of approximately 120,000 '
'patients. Weeks later, MediMap, a portal used by aged-care '
'homes, hospices, and disability services, was taken offline '
'after unauthorized actors tampered with patient records.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'Medical records, patient personal information',
'downtime': 'MediMap taken offline',
'identity_theft_risk': 'High',
'operational_impact': 'Patient records tampered with, services '
'disrupted',
'systems_affected': ['Manage My Health (MMH)', 'MediMap']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (MMH)'},
'lessons_learned': 'New Zealand’s Privacy Act 2020 lacks sufficient '
'enforcement mechanisms, such as civil penalties for '
'breaches, leaving the country vulnerable to cyberattacks. '
'The breaches highlight the need for legislative reform to '
'align with global standards like GDPR.',
'motivation': ['Data Exfiltration', 'Financial Gain', 'Disruption'],
'post_incident_analysis': {'corrective_actions': 'Exploring civil penalties '
'for privacy violations, '
'potential new offense for '
'mishandling illegally '
'obtained data, alignment '
'with global privacy '
'standards',
'root_causes': 'Insufficient enforcement of '
'privacy protections, lack of civil '
'penalties under Privacy Act 2020, '
'systemic vulnerabilities in '
'healthcare cybersecurity'},
'ransomware': {'data_exfiltration': 'Yes (MMH)'},
'recommendations': 'Strengthen cybersecurity laws, introduce civil penalties '
'for privacy violations, and explore new offenses for '
'mishandling illegally obtained data. Improve enforcement '
'mechanisms under the Privacy Act 2020.',
'references': [{'source': 'Office of the Privacy Commissioner (OPC) Annual '
'Report 2024-25'},
{'source': 'New Zealand Cyber Security Strategy 2026-2030'}],
'regulatory_compliance': {'regulations_violated': ['Privacy Act 2020'],
'regulatory_notifications': 'Yes (Privacy '
'Commissioner '
'notified)'},
'title': 'Major Health Data Breaches in New Zealand (2025-2026)',
'type': ['Ransomware', 'Data Tampering']}