New Zealand's Privacy Commissioner has found Te Whatu Ora Health New Zealand and Manage My Health Limited failed to meet their responsibilities to protect health information following an inquiry into "one of New Zealand's largest known breaches of sensitive personal information."Both organisations breached Rule 5 of the Health Information Privacy Code over the Manage My Health cyberattack in December, according to the inquiry, and are expected to face compliance notices requiring them to show they have addressed the identified security failures.FINDINGSThe breach affected approximately 99,416 patients, revised down from an initial estimate of 126,000, according to the report by the Office of the Privacy Commissioner (OPC). Around 91% of affected patients were in Northland, where Te Whatu Ora had a unique arrangement with Manage My Health to make certain hospital records available through the portal.According to the report, hackers used valid stolen patient credentials to enter the portal and then used those credentials to access and copy documents from thousands of other patients' accounts.The compromise was limited to the portal's My Health Documents module. Stolen information included patient-uploaded documents and Northland hospital discharge summaries, as well as personal identifiers such as names, dates of birth, NHI numbers, addresses, email addresses and phone numbers.The inquiry found that the breach was not caused by a single failure at Manage My Health, but by a combination of security weaknesses that made the incident more likely and increased its impact.For example, multifactor authentication was available on the platform, but was optional, while web security and identity and access management controls were "not sufficiently effective." Earlier testing had identified recurring access control and application security risks that had not been adequately addressed by the time of the breach.Manage My Health's own systems did not detect the hackers' presence or activity, with the company first becoming aware of the incident after it was alerted by Te Whatu Ora.Manage My Health told the Privacy Commissioner it has since required multifactor authentication for all users, fixed the vulnerability used in the attack, and begun updating its contracts and policies and boosting governance arrangements. The commissioner has not yet independently validated those fixes. A separate Ministry of Health review, released two days after the Privacy Commissioner's report, also found the breach was "largely preventable" and identified significant security control gaps, known application security risks that had not been fully addressed, and weaknesses in incident preparedness and communications.The inquiry also scrutinised Te Whatu Ora's Northland service, which used Manage My Health to give patients digital access to hospital documents, placing large volumes of sensitive hospital information in patient portal accounts. The OPC said the scale and novelty of that arrangement meant Te Whatu Ora "needed to meet very strong standards for due diligence, contract drafting, governance, risk management and ongoing assurance."Instead, the inquiry found gaps in its due diligence, privacy risk assessments, contracts and project governance, including an apparent overreliance on assurances from Manage My Health and no direct privacy or security representation on the project steering group. The contracts between Te Whatu Ora and Manage My Health were also found "not fit for purpose and did not contain appropriate protections for patient information."In a separate statement following the commissioner's findings, Te Whatu Ora said it had stopped the flow of information from the Northland district to Manage My Health after further due diligence. Te Whatu Ora said it is putting measures in place so Northland patients can immediately receive paper copies of discharge summaries after hospital visits.Moreover, it has updated digital services contract templates, strengthened privacy and security assessment processes, and is conducting health information security assessments of Manage My Health and other patient portals.Meanwhile, the OPC said GP practices were unlikely to be legally responsible for the specific information stolen because they did not control or access the compromised My Health Documents module, but it warned that it was largely a "question of luck" and that practices still have Rule 5 obligations when engaging patient portal providers.The Privacy Commissioner called for stronger central oversight of health technology vendors, saying there is currently no central process to verify whether key health sector suppliers, including patient portal providers, meet relevant security standards.The commissioner recommended that the Ministry of Health establish a centralised, ongoing programme to verify the security of key health sector vendors, rather than leaving individual providers such as GP practices to assess suppliers' safeguards on their own.MOH Chief Medical Officer Dr Joe Bourne said the ministry has accepted all 26 recommendations from its own review, which was informed by independent reports from Bastion Security Group and CyberCX. The ministry said it is working toward a "more consistent, system-wide approach" to independently validating that health sector suppliers holding sensitive health data meet appropriate cybersecurity standards.The OPC also recommended that the Ministry of Justice seek amendments to the Privacy Act to make third-party service providers directly liable for reasonable security safeguards, including when they collect, store or process personal information on behalf of another organisation.A second phase of the inquiry will examine whether patients were properly asked before Manage My Health accounts were created, whether they received enough information about how the portal would be used, how information was retained and deleted, and whether breach notifications complied with the Privacy Act.In February, a popular medication management platform, MediMap, reported a major breach in its system. The following month, March, private specialist healthcare provider IntraCare also disclosed a hacking incident.