Ian Powell – Mismanaging my (and our) health by private operational control

‘Big tech’ in the United States military and the controversy over the Manage My Health (MMH) security breach resulting from a cyberattack on 31 December in Aotearoa New Zealand appear to be solar systems apart beginning with scale and scope.

However, while absorbing the breaking news of the latter, early in the new year I was struck by an article on the former by Francesca Bria published in Le Monde Diplomatique (November 2025): Big Tech sovereignty takeover.

Palantir Technologies specialises in taking over sovereignty of core public functions

Bria reports that in late July the US Army had:

…quietly signed away a critical piece of its sovereignty. A $10bn contract with Palantir Technologies – one of the largest in the Department of Defense’s history – consolidated 75 separate procurement agreements into a single package. What looked like bureaucratic streamlining was in reality a strategic handover of core military functions to a private company…

This handover means that targeting decisions, troop movements and intelligence analysis increasingly flow through algorithms governed not by military command but by a corporate board answerable to shareholders. The army wasn’t just buying software, it was ceding operational sovereignty to a platform it can no longer function without.

This article encouraged me to consider the MMH security scandal in a new light – ceding sovereignty over critical and highly personal health data to a privately owned and operated platform.

Likely many people of my generation I have regular general practitioner check-ups. This includes using MMH. I find it useful for better understanding and monitoring my health status. It is a good tool for patients.

However, I never appreciated that a private company was managing my health data. Even though I have an extensive understanding of our health system, for some reason I expected that the Ministry of Health operated the system.

I was wrong. In my defence, a more experienced health system friend shared the same misunderstanding.

The breach

About 127,000 patients are believed to have had their data accessed. An estimated 70% were in Northland where MMH also interconnects with secondary (hospital) care health data.

Simeon Brown and health system leadership caught off guard by massive privacy breach (Emmerson, NZ Herald)

Security specialists have identified the lack of multiple baseline controls, such mandatory multi-factor authentication, as issue.

They argue that requiring a second verification step dramatically reduces the risk of automated password-guessing attacks.

Manage My Health a privately operated and owned public good

MMH arouse out of a general practice management system, Medtech, developed in the late 1980s that went on to be used by the majority of general practitioners in our primary care health system.

Building on this growing base, in 2008, Medtech launched MMH which was set up to give patients online access to their prescriptions, results and messages.

Aided and abetted by government funding in the mid-2010s, uptake by general practices the accelerated.

By the time of the successful 31 December cyberattack, MMH was the most-used health portal service which GPs utilised to share information with their patients.

This was followed by a second  cyberattack breach affecting Canopy Health which is the largest private medical oncology provider, including running diagnostic and oncology clinics, and private breast surgical centres; but a minnow compared with MMH.

Substantive analysis

Dr Byrce Edwards through his Democracy Project has published seven penetrating pieces on this scandal which has caused so much concern, even panic, among patients along with alarming GPs.

Bryce Edwards has done the most substantive analysis including recommended reforms

He doesn’t just provide a thorough understanding of the breach. Also addressed is its significance in the context of the public health system, including the role of neoliberal ideology. In doing this he draws upon extensive media coverage.

His final piece was published (with links to his previous six articles) on 15 January began with re-emphasising the root cause before outlining the reforms needed to address the debacle: Needed reforms.

Edwards beginnings by summarising his diagnosis:

Decades of privatisation built a fragile system, leaving our health IT infrastructure splintered and under-resourced. A near-monopoly concentrated the risk, handing 1.8 million New Zealanders’ records to a one-man private empire. The watchdogs were ignored and muzzled: successive Privacy Commissioners’ warnings went unheeded, and regulators were kept toothless by design. Meanwhile, industry lobbying captured the policy process, framing basic protections as “red tape” and convincing politicians that regulation was a dirty word.

He then proceeds to outline four necessary reforms. In summary they are:

1. Privacy laws with teeth.
2. End the ‘high trust’ charade.4
3. Rebuild public capacity.
4. Resource the ‘watchdog’ (ie, Privacy Commissioner).

Reforming public health records; restore sovereignty

Brian Roche, Public Health Commissioner: His and the Privacy Commissioner’s reviews are good but not enough

The Privacy Commissioner is undertaking a review of the privacy breach while the Public Service Commissioner is requiring all government ministries and agencies to review data provision arrangements with third parties.

Both initiatives are laudable but, on their own they are not enough. It is necessary to systemically dig deeper and wider. Bryce Edwards’ above recommended reforms are the way to go.

While all are critical I want to particularly focus on the third, rebuilding public records capacity. Addressing this well would potentially be a gamechanger for both patients and health system functioning.

What has become clear is that, partly through a privatisation ideology and partly by a policy vacuum, digital patient health records are largely owned and operated by a private near monopoly.

When digital health records are contracted out in this way there is a serious risk of profiteering compromising the public good (ie, safety and confidentiality of patient records).

Hypothetically, to address this conflict of interest, robust Health Ministry monitoring is required.

This means not only resourcing IT well (the opposite is currently happening). It also requires, if done well, high transaction costs which can sometimes inadvertently enable operational rigidity.

Health Minister Simeon Brown not responsible; but if he’s not part of the solution he’s part of the problem (NZ Herald)

The current Manage My Health scandal can’t be blamed on Health Minister Simeon Brown or his government. The cause predates the 2023 election by many years under successive governments.

However, it is also clear that, to date at least, his government is making it worse and not just through shortsighted IT staffing cuts. It is the old saying; if you are not part of the solution you are part of the problem.

Health records and Manage My Health (Slane, Listener)

The solution is to end the slashing of health IT staff, restore what has already been cut, and rebuild the capacity of the Ministry of Health (and Health New Zealand) to do what needs to be done (and done well).

‘Little Palantir’

I began this post by quoting from the above-mentioned Le Monde Diplomatiquearticle the US giant Palantir Technologies acquiring sovereignty over core American army functions.

In November 2023, Palantir was awarded a controversial £330 million contract to create a new data management system in England’s National Health Service. Inevitably, if this proceeds (there is a strong campaign in opposition) it will constitute another big sovereignty loss.

The underlying cause of the Manage My Health cybersecurity breach was the loss of government sovereignty over digital health records to a ‘Little Palantir’. This government (or the next one following the election in November) must work to turn this around.