Two cyber hacks have highlighted the vulnerability of New Zealand’s digital health systems – and the vast volumes of patient data we rely on them to protect.

Following the hacking of Manage My Health – compromising the records of about 127,000 patients – and an earlier breach at Canopy Health, a concerned public is asking how this happened and who is to blame.

The most urgent question, however, is whether it can happen again.

What we know so far

Manage My Health (MMH) – a patient portal used by many general practices to share test results, prescriptions and messages – published its first public notice about a cyber security incident on New Year’s Day.

According to the company, it became aware of unauthorised access on December 30, after being alerted by a partner. It says it immediately engaged independent cyber security specialists and that the compromise was limited to its “Health Documents / My Health Documents” module.

The Office of the Privacy Commissioner confirmed it was notified on January 1 and later published guidance for those affected. The National Cyber Security Centre also issued an incident notice.

MMH has since obtained urgent High Court injunctions that restrain the use or publication of data taken. In its decision, the court described activity patterns consistent with automation, including unusually high-frequency behaviour and repeated access attempts.

While this sheds some light on how the hacker operated, it does not establish which specific technical control failed – or where responsibility ultimately lies.

We have now also learned that a second provider, Canopy Health, experienced unauthorised access to parts of its administrative systems six months ago, with some patients only being notified this week.