Ian Powell – Mismanaging my (and our) health by private operational control

The Manage My Health cyber breach was not just a security failure — it was a failure of sovereignty.

When 127,000 patients’ health records were exposed, it revealed something far more troubling than missing safeguards: New Zealand had quietly ceded control of its most sensitive public health infrastructure to a private near-monopoly. This is not an isolated IT lapse, but the predictable outcome of decades of privatisation, regulatory neglect, and ideological hostility to public capacity.

From Big Tech Militarism to Health Data Sovereignty

‘Big tech’ in the United States military and the controversy over the Manage My Health (MMH) security breach resulting from a cyberattack on 31 December in Aotearoa New Zealand appear to be solar systems apart beginning with scale and scope.

However, while absorbing the breaking news of the latter, early in the new year I was struck by an article on the former by Francesca Bria published in Le Monde Diplomatique (November 2025): Big Tech sovereignty takeover.

Palantir Technologies specialises in taking over sovereignty of core public functions

Bria reports that in late July the US Army had:

…quietly signed away a critical piece of its sovereignty. A $10 billion contract with Palantir Technologies – one of the largest in the Department of Defense’s history – consolidated 75 separate procurement agreements into a single package. What looked like bureaucratic streamlining was in reality a strategic handover of core military functions to a private company…

This handover means that targeting decisions, troop movements and intelligence analysis increasingly flow through algorithms governed not by military command but by a corporate board answerable to shareholders. The army wasn’t just buying software, it was ceding operational sovereignty to a platform it can no longer function without.

The Manage My Health Breach

This article encouraged me to consider the Manage My Health security scandal in a new light – ceding sovereignty over critical and highly personal health data to a privately owned and operated platform.

Likely many people of my generation I have regular general practitioner check-ups. This includes using Manage My Health. I find it useful for better understanding and monitoring my health status. It is a good tool for patients.

However, I never appreciated that a private company was managing my health data. Even though I have an extensive understanding of our health system, for some reason I expected that the Ministry of Health operated the system.

I was wrong. In my defence, a more experienced health system friend shared the same misunderstanding.

The breach

About 127,000 patients are believed to have had their data accessed. An estimated 70% were in Northland where Manage My Healt also interconnects with secondary (hospital) care health data.

Simeon Brown and health system leadership caught off guard by massive privacy breach (Emmerson, NZ Herald)

Security specialists have identified the lack of multiple baseline controls, such mandatory multi-factor authentication, as issue.

They argue that requiring a second verification step dramatically reduces the risk of automated password-guessing attacks.

Manage My Health a privately operated and owned public good

A Privately Operated Public Good

Manage My Health arose out of a general practice management system, Medtech, developed in the late 1980s that went on to be used by the majority of general practitioners in our primary care health system.

Building on this growing base, in 2008, Medtech launched Manage My Health which was set up to give patients online access to their prescriptions, results and messages.

Aided and abetted by government funding in the mid-2010s, uptake by general practices accelerated.

By the time of the successful 31 December cyberattack, Manage My Health was the most-used health portal service which GPs utilised to share information with their patients.

This was followed by a second  cyberattack breach affecting Canopy Health which is the largest private medical oncology provider, including running diagnostic and oncology clinics, and private breast surgical centres; but a minnow compared with Manage My Health.

Substantive analysis

Dr. Bryce Edwards through his Democracy Project has published seven penetrating pieces on this scandal which has caused so much concern, even panic, among patients along with alarming GPs.

Edwards’ analysis goes beyond the breach itself, locating it within decades of privatisation and regulatory capture.

He doesn’t just provide a thorough understanding of the breach. Also addressed is its significance in the context of the public health system, including the role of neoliberal ideology. In doing this he draws upon extensive media coverage.

His final piece was published (with links to his previous six articles) on 15 January began with re-emphasising the root cause before outlining the reforms needed to address the debacle: Needed reforms.

Edwards begins by summarising his diagnosis:

Decades of privatisation built a fragile system, leaving our health IT infrastructure splintered and under-resourced. A near-monopoly concentrated the risk, handing 1.8 million New Zealanders’ records to a one-man private empire. The watchdogs were ignored and muzzled: successive Privacy Commissioners’ warnings went unheeded, and regulators were kept toothless by design. Meanwhile, industry lobbying captured the policy process, framing basic protections as “red tape” and convincing politicians that regulation was a dirty word.

He then proceeds to outline four necessary reforms. In summary they are:

1. Privacy laws with teeth.
2. End the ‘high trust’ charade.4
3. Rebuild public capacity.
4. Resource the ‘watchdog’ (ie, Privacy Commissioner).

Reforming public health records; restore sovereignty

Brian Roche, Public Health Commissioner: His and the Privacy Commissioner’s reviews are good but not enough

The Privacy Commissioner is undertaking a review of the privacy breach while the Public Service Commissioner is requiring all government ministries and agencies to review data provision arrangements with third parties.

Both initiatives are laudable but, on their own they are not enough. It is necessary to systemically dig deeper and wider. Bryce Edwards’ above recommended reforms are the way to go.

While all are critical I want to particularly focus on the third, rebuilding public records capacity. Addressing this well would potentially be a game changer for both patients and health system functioning.

What has become clear is that, partly through a privatisation ideology and partly by a policy vacuum, digital patient health records are largely owned and operated by a private near monopoly.

When digital health records are contracted out in this way there is a serious risk of profiteering compromising the public good (ie, safety and confidentiality of patient records).

Hypothetically, to address this conflict of interest, robust Health Ministry monitoring is required.

This means not only resourcing IT well (the opposite is currently happening). It also requires, if done well, high transaction costs which can sometimes inadvertently enable operational rigidity.

Simeon Brown and Political Responsibility

Health Minister Simeon Brown not responsible; but if he’s not part of the solution he’s part of the problem (NZ Herald)

The current Manage My Health scandal can’t be blamed on Health Minister Simeon Brown or his government. The cause predates the 2023 election by many years under successive governments.

However, it is also clear that, to date at least, his government is making it worse and not just through shortsighted IT staffing cuts. It is the old saying; if you are not part of the solution you are part of the problem.

Health records and Manage My Health (Slane, Listener)

The solution is to end the slashing of health IT staff, restore what has already been cut, and rebuild the capacity of the Ministry of Health (and Health New Zealand) to do what needs to be done (and done well).

The ‘Little Palantir’ Problem

I began this post by quoting from the above-mentioned Le Monde Diplomatique article the US giant Palantir Technologies acquiring sovereignty over core American army functions.

In November 2023, Palantir was awarded a controversial £330 million contract to create a new data management system in England’s National Health Service. Inevitably, if this proceeds (there is a strong campaign in opposition) it will constitute another big sovereignty loss.

The underlying cause of the Manage My Health cybersecurity breach was the loss of government sovereignty over digital health records to a ‘Little Palantir’. This government (or the next one following the election in November) must work to turn this around.

Postscript

Since first publishing this post I received feedback that I had let Simon Brown “off the hook too readily.”

I disagree because I did refer to his government’s IT cost cutting as further perpetuating the precariousness of Manage My Health ownership and operational control. It was also not the main focus of my post.

However, there is merit in referring to the fact that Ministry of Health recommendations in 2021 led the previous government taking responsibility for building public cyber capability and sharing that resource with the primary care sector.

The leadership of that work was stopped as a direct result of Minister Brown’s $300 million cut from data and digital funding. On reflection it is worth of specific mention.