Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Our Community
Network of professionals
Vendor Partners
Trusted vendors
Contact us
Our contact details
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Stay ahead of every threat with managed security
Security Architecture
Security that actually changes the game
Digital Forensics & Incident Response
Forensic and Incident Response experts on hand to help
Cyber Threat Intelligence
Strengthen your security posture
Managed Detection & Response
Highly trained security experts monitor and protect
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audit and assurance you can trust
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Strengthen your security maturity
Penetration Testing
Penetration testing for cyber vulnerabilities
Case Studies
    
Articles
    
Advisories
    
Compliance Management Programme
Privacy Impact Assessment
Executive and Board Security Governance Training
Instructor Led ISO27001 Training
Advanced OSINT Training Course
Secure Development Training
Security Awareness Training
Security Incident Response Testing
Executive & Board Reporting
Incident Response Tabletop Exercise
Security Policy and Standard Development
Strategic Security Consulting
Secure Access Service Edge (SASE)
Dark Web Monitoring
Automated Patch Management
Cloud Posture & Security
Vulnerability Management
Email Security
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Endpoint Protection
Virtual Security Architect (vSecArch)
System Architecture, Design & Implementation
NIST CSF Maturity Uplift
DevSecOps Review & Implementation
Design Reviews
CI/CD Health Check
Cloud Security Configuration
Incident Response
Forensics
System Security Plan
Controls Validation Audit
Continuous Certification
Risk Assessment
All of Government Marketplace
Digital Identity Services Trust Framework Act
SWIFT CSCF
Payment Card Industry (PCI)
ISO 27001
vITSM
vCISO
Risk Management
Security Health Check
CIS Critical Controls Assessment
PSR Assessment
NIST CSF Assessment
Essential Eight Assessment
Specialist Testing
Artificial Intelligence (AI) Penetration Test
Application Penetration Tests
Source Code Review
Configuration Reviews
Denial of Service (DoS) Testing
Social Engineering & Phishing
Purple Teaming
OT/SCADA Network Penetration Test
Vulnerability Assessment
External Penetration Testing
Internal Penetration Testing
Web Application Penetration Testing
Red Teaming
Secure Development Training
Dark Web Monitoring
ISO 27001
Denial of Service (DoS) Testing
Purple Teaming
External Penetration Testing
Internal Penetration Testing
Red Teaming
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
Secure Development Training
Dark Web Monitoring
ISO 27001
Incident Response
Talk to an expert
Resources
About Us
Articles
>
ManageMyHealth: Key Lessons for Strengthening Digital Health Security
Bastion Security

ManageMyHealth: Key Lessons for Strengthening Digital Health Security

ManageMyHealth’s breach is a turning point for NZ digital health, revealing gaps in safeguards, vendor assurance & readiness.
Talk to an expert
May 29, 2026
Key takeaways
  • The Manage My Health breach has reset expectations for digital health security in New Zealand
  • Third-party assurance, contracts, and incident response are the weakest points
  • Trust is no longer based on assertion, it must be supported by evidence
  • Providers who can demonstrate this clearly will be better positioned commercially and operationally

Why the Manage My Health reports matter

The release of the Manage My Health breach reports is an important moment for New Zealand’s digital health sector. The impact goes well beyond one platform or one incident.

There will be close attention on the specific control failures, as there should be. But the issue they expose runs wider.

Digital health depends on trust. Until now, too much of that trust has been based on assertion. Supplier statements, completed questionnaires, policy documents and contractual clauses, often without clear evidence that they are actually working in practice.

The findings from the Office of the Privacy Commissioner (OPC) make clear that this is no longer a credible position.

The OPC concluded that both Manage My Health and Health New Zealand failed to meet their obligations to maintain reasonable safeguards under Rule 5 of the Health Information Privacy Code 2020. It has also signalled its intent to issue compliance notices requiring both organisations to address deficiencies and demonstrate compliance.

This is not just a technical issue. It is a governance, assurance, supplier-risk and trust issue.

What actually failed in the breach?

The breach was not the result of a single control failure. It reflected multiple weaknesses across prevention, detection and response, alongside gaps in governance and oversight.

In practical terms, those weaknesses included:

  • multifactor authentication not being enforced for all users
  • identity and access management controls that were not sufficiently effective
  • web and application security that did not prevent large-scale unauthorised access
  • monitoring that did not detect or interrupt the activity in time
  • testing and assurance that did not identify or mitigate key risks

This pattern is familiar. Controls may exist on paper, but the gap between what is documented and what is actually operating is not always tested or challenged.

The reports also highlight a wider issue in third-party assurance. Health NZ’s vendor assessment approach was risk-based but largely paper-driven, relying on supplier-provided evidence and limited technical validation. Contractual arrangements were also insufficient, with a lack of clarity around enforceable security obligations.

Digital health services rely on a network of organisations including vendors, subcontractors, cloud providers and clinical systems. Weak assurance anywhere in that chain affects confidence in the overall service.

Why trust now needs to be evidenced

The shift is from having controls to proving they work.

In our experience, most organisations are not set up to demonstrate this clearly today. In some cases, controls are incomplete. More often, the controls exist but the supporting evidence does not.

Common examples include:

  • outdated testing results that no longer reflect the current environment
  • supplier assurance based on questionnaires rather than validation
  • contracts that include security clauses but are not actively enforced
  • control registers without supporting artefacts

That gap is what will be tested next.

To demonstrate trust, organisations need to answer practical questions:

  • How do we know controls are operating in practice?
  • How are supplier and subcontractor risks identified and managed?
  • How is testing scoped, validated and remediated?
  • What evidence would we rely on during an incident?
  • How are privacy and security risks escalated to decision-makers?

These are the questions that arise when confidence is under pressure.

Where trust breaks in digital health systems

Trust tends to fail at the hand-offs.

It rarely collapses in one obvious place. Instead, it breaks:

  • Between customer and supplier
  • Between supplier and subcontractor
  • Between what a contract says and what can be enforced
  • Between documented controls and actual operation

Supplier assurance that relies heavily on documents and statements is fragile.

This becomes most visible during an incident, when organisations need to answer:

  • What happened?
  • What data was affected
  • What has been contained
  • What remains uncertain
  • Who needs to be informed

Where evidence already exists, those questions are manageable. Where it does not, organisations are forced to construct answers under pressure. The same applies to governance. It is not enough to say risk is managed. Organisations need to show how risks are identified, escalated and actively overseen.

Why this will become a commercial issue?

This shift will not remain within regulatory boundaries.

It will show up in:

  • Procurement decisions
  • Partner due diligence
  • Board and executive scrutiny
  • Patient trust and adoption

Organisations that can demonstrate strong, independently verifiable security will be better positioned as expectations increase. Those that cannot will find trust harder to earn, and harder to recover once it is lost.

What effective assurance now looks like?

Organisations that respond well will build an evidence-based assurance model, rather than simply updating policies or control registers.

That includes being able to produce:

  • current control evidence
  • supplier risk tiering and review records
  • independent test results with confirmed remediation
  • incident response testing outputs
  • data access and retention records
  • board reporting that clearly reflects decisions and risk acceptance

Equally important is being able to explain what that evidence means, where gaps remain, and what actions are underway. That is what turns a general statement about security into something that can be relied on.

What digital health providers should ask now?

For organisations operating, procuring or governing digital health services, the key question is no longer:

Are we secure? It is.

If our security, privacy and supplier governance were examined tomorrow, would the evidence increase confidence or reduce it?

Most digital health services rely heavily on third parties. Outsourcing capability does not outsource accountability.

Effective assurance requires:

  • structured onboarding due diligence
  • ongoing supplier monitoring
  • independent validation of controls
  • clear accountability for outcomes

What happens next?

The Manage My Health reports will drive activity across the sector. Controls will be reviewed, policies updated, frameworks strengthened and contracts revisited.

That work is necessary. Organisations that respond well will go further. They will make security visible, assurance credible, and governance will become evidence-based rather than assumed. This is how confidence is rebuilt in a sector that depends on trust.

Next steps

If you want to understand how your current environment would stand up under this level of scrutiny, we can help.

At Bastion, we work with digital health providers and agencies across:

  • control evidence and validation
  • third-party risk and supplier assurance
  • incident readiness and response
  • governance and board-level reporting
  • privacy consulting and impact assessments
  • alignment to security and privacy frameworks  

If it would be useful to talk it through, get in touch at steve.honiss@bastionsecurity.co.nz for a confidential chat.

Events

Latest events

Join Bastion experts for networking events, technical briefings, and hands-on workshops hosted throughout the year.
View all events
03
Jun
2026
Bastion Security Offices, Level 5, 51 Shortland Street, Auckland
5:00 pm
Risk-Aligned Automation in Social Engineering & Credential Theft Response
Risk-Aligned Automation in Social Engineering & Credential Theft Response
Bastion Security Offices, Level 5, 51 Shortland Street, Auckland
03 June 2026
5:00 pm
Cyber security news

Latest advisories

Stay ahead of emerging threats with our expert blog posts, research, and industry updates.
PHP-FPM (PHP Source) - Stored Cross-Site Scripting (XSS) (CVE-2026-6735)
During a security engagement, Conrad Draper discovered a stored XSS vulnerability in the PHP-FPM status endpoint which was due to a lack of input sanitisation of the request URI. This affects the request URI when displaying stored content within the
Union-Based SQL Injection in ERPNext / Frappe Framework (CVE-2026-29081)
During some research, Cale discovered an authenticated SQL injection vulnerability in Frappe Framework, affecting the latest version of ERPNext, including cloud-hosted instances.
TimePictra (Microchip) – Stored Cross-Site Scripting (XSS) (CVE-2026-3010)
During a security engagement, Steve Nyan Lin discovered a stored XSS vulnerability in the TimePictra web application which was due to a lack of input filtering. This affects the neName parameter when creating new network elements.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
ArticlesAdvisoriesTerms & ConditionsCorporate GovernanceVulnerability Disclosure GuidelinesPrivacy Statement
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
+64 4 281 7534
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved