Photo: Brett Sayles/Pexels
When a healthcare data breach happens, the real danger is often not just what hackers gain access to. It also lies in what the incident reveals about how patient information is governed in the first place.
That’s why the New Zealand Ministry of Health’s review of the ManageMyHealth cyber breach matters far beyond a single platform or a single country: what began as a security incident affecting more than 126,000 people is now being treated as a test of organizational capability, data governance, and regulatory accountability across the health system.
What makes the New Zealand case worth following is not the procedural timeline, but what the investigations are actually testing. Regulators are using this one breach as a window into a larger question: are health systems truly designed to protect highly sensitive information, or have convenience, speed, and legacy technology outpaced basic governance?
By looking across patient portals, security practices, and relationships among platform providers and public agencies, they are assessing whether today’s safeguards genuinely match the stakes.
That broader lens is becoming the norm well beyond New Zealand. Around the world, authorities are treating health data incidents less as one-off technical mishaps and more as signals about how entire systems are run.
For healthcare organizations, that shift raises the bar, not just for regulatory compliance, but for how leaders build and maintain public confidence in the digital infrastructure people now rely on for care.
Health data becomes critical infrastructure
Over the past several years, healthcare breach investigations have started to look less like traditional cybersecurity audits and more like reviews of essential infrastructure. Instead of asking only "How did attackers get in?," regulators are now probing deeper questions about risk ownership, unresolved vulnerabilities, data management across its lifecycle, and whether responses were timely and coordinated.
The ManageMyHealth review reflects this shift. Its scope reaches well beyond technical controls to examine security architecture, the organization’s ability to run a critical health platform safely, and data retention practices that leave historical records exposed online.
At the same time, New Zealand’s Office of the Privacy Commissioner is assessing compliance with the Privacy Act and the broader governance arrangements linking platform providers, health agencies, and care organizations.
This pattern is playing out globally. In the U.S., the February 2024 Change Healthcare ransomware attack – the largest healthcare breach in U.S. history – prompted the HHS Office for Civil Rights to investigate whether safeguards and governance practices met HIPAA standards. Across jurisdictions, regulators are now insisting on root-cause analysis, sustained governance improvements, and clear executive accountability.
The implication is increasingly clear: Patient data has become, in every practical sense, critical infrastructure for healthcare. It is no longer just an administrative byproduct of care – it is the foundation on which modern healthcare operates.
When that data is compromised or rendered inaccessible, the impact mirrors a power failure: systems halt, care stalls, and the ripple effects reach far beyond privacy. Clinical operations falter, public trust erodes, and the resilience of entire health systems is called into question.
As a result, regulators expect healthcare leaders to treat cyber risk as a core responsibility, invest continuously in governance, and align protection standards with the sensitivity of the data they hold. For organizations, this represents a shift from episodic compliance to ongoing stewardship of patient information.
Recurring governance gaps
Most health data breaches are less about hackers and more about weak governance – unclear ownership, unmanaged legacy data, and fragmented responsibility across a complex ecosystem.
That pattern appears even when the technical details differ. The ManageMyHealth breach highlights problems that surface repeatedly across healthcare: known vulnerabilities left unresolved, historical data kept longer than needed, and protection standards that did not match the sensitivity of the information involved.
Similar dynamics were visible in the MOVEit breaches, which spread through thousands of organizations because of systemic, unpatched weaknesses. They were also evident in 2025 ransomware incidents at U.S. providers such as DaVita and Frederick Health, in which attackers exploited gaps in basic safeguards and patch management.
Together, these cases show how fragmented accountability and uneven governance amplify risk and slow response.
Inside many organizations, cybersecurity is still treated primarily as an IT issue rather than an enterprise responsibility. Data ownership is scattered across systems and partners, vulnerability remediation competes with daily operations, and retention policies are often unclear or hard to implement – allowing old data to accumulate and exposure to grow quietly over time.
As a result, regulators are focusing less on the mere existence of vulnerabilities – which are inevitable – and more on whether organizations have clear risk ownership and disciplined processes to address them.
Healthcare’s ecosystem makes this harder. Patient portals, electronic health records, and third-party platforms span organizational boundaries, blurring responsibility and slowing escalation when incidents occur.
That is why breach reviews increasingly center on governance and data lifecycle management. Strong technical controls matter, but they cannot compensate for unclear ownership, unmanaged legacy exposure, and fragmented decision-making.
How healthcare organizations are responding
In response to this changing regulatory environment, healthcare organizations are elevating cyber risk from an IT problem to a leadership responsibility. Boards are increasingly treating patient data as a strategic asset, while management teams are clarifying who owns security risks, how quickly critical vulnerabilities must be addressed, and how unresolved issues become visible at the executive level.
The emphasis is shifting from whether controls exist to whether governance structures ensure sustained attention to risk.
At the same time, organizations are tightening how they handle data across its full lifecycle. Highly sensitive clinical information is receiving stronger controls, tighter access management, and more continuous monitoring.
Many providers are also shrinking their exposure by reducing unnecessary retention, removing historical records from internet-facing environments, and ensuring that archival data receives appropriate protection. They are also recognizing that limiting what data they hold onto can be one of the most effective ways to reduce risk.
Finally, because modern healthcare depends on interconnected systems, providers are putting more structure around ecosystem risk and incident readiness. That includes clearer security expectations for third-party platforms and patient portals, as well as rehearsing how clinical, IT, legal, and communications teams would act together during a real breach.
Healthcare organizations are also sharing threat intelligence more actively with peers and sector groups so that lessons from one breach can help others prevent the next.
From compliance to confidence
The ManageMyHealth review is still underway, but its trajectory is already clear. For healthcare leaders, this moment is a prompt to rethink how patient data is governed across platforms, partners, and clinical settings. Technical fixes remain important, yet they are insufficient on their own. Greater resilience depends on clear risk ownership, disciplined data management, and sustained leadership engagement with cyber risk.
Trust remains central to healthcare. Patients assume their most personal information will be handled responsibly, while regulators increasingly expect organizations to prove that trust through strong governance rather than relying on formal policies alone.
The priority now is to build durable confidence in how healthcare organizations protect and steward patient data – consistently, not only after something goes wrong.
Paul Chua is the APAC Operations Director at Health-ISAC.
