Pacific communities in NZ pay the price as government blamed for health data breach

Thousands of Pacific families across Aotearoa New Zealand are reeling after the recent ManageMyHealth breach exposed private records such as medical histories, prescriptions, and test results.

The Government is facing growing pressure to accept responsibility for what health advocates say is a major privacy failure after the data breach exposed the personal health information of more than 100,000 people across Aotearoa.

The patient portal, Manage My Health, is experiencing technical issues, including sending blank or confusing emails, as it deals with a cybersecurity breach.

The privately run service, used by some GP practices in New Zealand, says about 125,000 users may have been affected by unauthorised access to the “My Health Documents” section late last year.

It says core services such as appointments, prescriptions and health records were not accessed and remain secure.

The company has obtained a temporary High Court injunction to prevent misuse of any stolen data, while the Government has ordered a review into how the breach was handled.

Manage My Health says it has begun notifying affected patients. Photo/RNZ/Finn Blackwell

Pacific advocates say the breach has hit close to home, with many families relying on digital health services to manage long-term conditions, access prescriptions and stay connected to doctors.

They say the breach hits not just data but trust in the health system itself.

The Public Service Association (PSA) says the breach was not a surprise but the result of years of underfunding the Office of the Privacy Commissioner, the very agency meant to protect people’s sensitive information.

“This is what happens when warnings are ignored,” PSA National Secretary Fleur Fitzsimons says in a statement. “The Government was told clearly that the Privacy Commissioner did not have enough resources to meet growing privacy threats, but it chose to cut funding anyway.”

Fitzsimons says the Office of the Privacy Commissioner warned the incoming Government in late 2023 that it had “insufficient funding” to cope with a sharp rise in complaints and growing risks from new technology.

She adds that the warning was repeated in its most recent annual report, which stated that funding had fallen in real terms despite increased responsibilities.

Despite this, the Government went ahead with a 6.5 per cent funding cut to the Office, she says.

Now, with the ManageMyHealth breach unfolding, Fitzsimons says those decisions have real consequences.

“Cuts have consequences, and Pacific communities are often the first to feel them. Health data is deeply personal. When it’s exposed, trust is broken.”

Pacific health workers say the breach has shaken trust in digital health systems relied on by families managing long-term conditions. Photo/Supplied

For Pacific people, that trust is critical. Many already face barriers in the health system, including language challenges, cost and access.

Digital platforms like ManageMyHealth are widely used by Pacific families to book appointments, check test results, and support elders with ongoing care.

Pacific health worker and unionist Lagi Taufao says the breach has caused anxiety in the community.

“Our people share a lot of information with the health system because we’re managing diabetes, heart disease, asthma - things that affect whole families,” she says. “When that data isn’t protected, it feels like we’ve been let down again.”

The PSA says the Privacy Commissioner has been left overstretched and unable to do basic preventative work, such as educating organisations about privacy obligations or providing specialist advice on data protection.

On its website, the Office of the Privacy Commissioner currently warns the public there is “high demand” for its services and that complaints may be delayed.

Digital platforms are widely used by Pacific families to manage prescriptions, appointments and test results - making data protection critical. Photo/ManageMyHealth

The union says this is a sign of an agency pushed beyond its limits. Beyond funding, there are also concerns that New Zealand’s privacy laws are out of date.

The Privacy Commissioner has repeatedly told the Government that a full review of the Privacy Act is urgent, especially as new risks emerge from artificial intelligence, biometric data and children’s online privacy.

“These are not future problems, they’re here now,” Fitzsimons says. “Pacific kids, Pacific families, Pacific elders are all part of the digital world, but the protections haven’t kept up.”

The PSA is calling on the Government to apologise for the funding cuts, restore money to the Office of the Privacy Commissioner immediately, and commit to a full review of privacy laws.

Taufao agrees, saying the issue goes beyond one breach. “If nothing changes, this will happen again,” she says. “Our communities deserve to know their private health information is safe.”

As investigations into the ManageMyHealth breach continue, Pacific leaders and unions alike say the message is clear: protecting privacy is not optional and underfunding watchdogs comes at a cost felt most by vulnerable communities.