Relief from GPs after Manage My Health inquiry backs ministry vetting

by · RNZ
The Privacy Commissioner found Health NZ and Manage My Health failed to have adequate security controls over the patient data.Photo: RNZ / Finn Blackwell

General practitioners are strongly in favour of a central vetting process for patient portals after the results of the Manage My Health inquiry.

A review by the Privacy Commissioner into the hack of patient portal Manage My Health has called for the vetting of providers to be done centrally, through the Ministry of Health.

It also found Health NZ and Manage My Health "failed in their responsibilities" to have adequate security controls when hundreds of thousands of medical files were stolen in a cyber attack.

The commissioner's report found there was "nothing that GP practices could have done to have prevented this breach and they were not the source of the information that was stolen".

Rather, the records had come from hospitals, under the control of Health NZ.

Justin Butcher from General Practice NZ and chief executive of Pinnacle Midlands Health said it was a relief that practices were not being held liable but security was a "shared responsibility" and therefore GPs would continue to be involved.

A centralised system would mean it was done once and done well.

The report found it would not be "practicable" for individual GP practices to do their own security testing or assurance. "Instead, providers should be checked and approved at a central level," it said.

Hack increased workload for GPs

Butcher said there had been "a huge amount of work for practices and PHOs alike" responding to concerned patients and putting out updates.

"They do have that duty and that willingness to work with their patients because practices do feel a sense of ownership over patient records, even if they're not responsible for what's occurred."

Chief operating officer for WellSouth Primary Health Network Damon Campbell said he had advocated strongly throughout the process for GPs not to be held responsible for vetting and now the commissioner's report had backed that view.

"Not only was the Manage My Health breach preventable but [the report] found that GP practices were not the source of the breach and could not have prevented it," he said.

Everyone in the health sector had a responsibility to safeguard patient information but practices had trusted Manage My Health and Health NZ to have adequate protections in place and that trust had been misplaced.

"The commissioner's recommendation that patient health portal providers be verified and approved centrally is exactly right. Practice teams should be able to focus on their core role - supporting the health and wellbeing of their patients."

The Privacy Commissioner said the second phase of the inquiry, which would start soon, was likely to look into further questions about GPs' obligations when using patient health portals, including what patients were told and how authorisation was obtained to set up accounts.

Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.

Related Stories

Privacy commissioner to monitor security upgrades after Manage My Health hackThousands of New Zealanders' health data was illegally accessed last year, with more than 70 percent of those impacted in Northland.26 May 2026Manage My Health data breach: A timeline of what happened, and everything we know so farAt the end of 2025 hackers got access to health data being held by privately owned patient portal Manage My Health.Dan Satherley, 14 Jan 2026Who are the hackers behind Manage My Health's cyber attack?Explainer - Kazu have a track record of targeting other institutions - from the Nepali police to a US medical records company.Finn Blackwell, 07 Jan 2026