Tçnâ koe,

 

Thank you for your email. 

 

Under the Official Information Act (OIA), agencies are required to respond
to requests for official information as soon as reasonably practicable and
no later than 20 working days after receiving them.

 

Please note that the period from 25 December 2025 to 15 January 2026
(inclusive) is not counted as working days under the OIA. As a result, any
OIA requests received on or after 29 November 2025 may take longer to
process than usual, as the maximum response timeframe may extend into the
new year.

If your request is for data that Health NZ holds, have you checked
[1]Lighthouse first to see if the data you are seeking is already
published?

 

Lighthouse is a searchable catalogue that makes a range of data and
analytics products available to New Zealanders to enable easier, faster
access to insights about health services.

 

You can find further information about how OIA timeframes are calculated,
including the Ombudsman’s OIA calculator, at the link below:
[2]Official information calculators | Ombudsman New Zealand

 

We will provide a response to your request in line with the statutory
timeframes set out in the OIA.

We appreciate your understanding and patience during this time.

 

Ngâ mihi,
Health NZ | Te Whatu Ora.

Statement of confidentiality: This email message and any accompanying
attachments may contain information that is IN-CONFIDENCE and subject to
legal privilege. If you are not the intended recipient, do not read, use,
disseminate, distribute or copy this message or attachments. If you have
received this message in error, please notify the sender immediately and
delete this message

References

Visible links
1. https://www.tewhatuora.govt.nz/for-healt...
2. https://www.ombudsman.parliament.nz/agen...

Tēnā koe Ron

Thank you for your email of 6 January 2026, asking for the following
information under the Official Information Act 1982 (the OIA):

1. Provide the most recent security assurance artefacts Health NZ held
about ManageMyHealth (or the relevant legal name of the vendor) prior to
the security breach incident, such as but not limited to:

* security assessments,
* audit reports,
* pen test summaries/executive summaries,
* SOC 2/ISO 27001 attestations (if any),
* risk acceptance documents.

2. Provide any risk register entries (or equivalent) relating to
ManageMyHealth (or patient portals / third-party patient-facing
platforms), including risk owner and treatment status.
3. Provide records of any known vulnerabilities, audit findings, or
exceptions related to this service, and evidence of how/when they were
remediated or accepted.
 

This email is to let you know that Health NZ needs more time to make a
decision on your request.

The OIA requires that we advise you of our decision on your request no
later than 20 working days after the day we received your request.
Unfortunately, it will not be possible to meet that time limit and we are
therefore writing to notify you of an extension of the time to make our
decision, to 13 March 2026.

This extension is required because the consultations necessary to make a
decision on the request are such that a proper response cannot reasonably
be made within the original time limit.

If you have any questions, please contact us
at [1][email address] 

If you are not happy with this extension, you have the right to make a
complaint to the Ombudsman. Information about how to do this is available
at [2]www.ombudsman.parliament.nz or by phoning 0800 802 602.

Ngā mihi,

 

Emmie

Government Services
Health New Zealand | Te Whatu Ora

 

 

Statement of confidentiality: This email message and any accompanying
attachments may contain information that is IN-CONFIDENCE and subject to
legal privilege. If you are not the intended recipient, do not read, use,
disseminate, distribute or copy this message or attachments. If you have
received this message in error, please notify the sender immediately and
delete this message

References

Visible links
1. mailto:[email address]
mailto:[Health New Zealand request email]
2. http://www.ombudsman.parliament.nz/
http://www.ombudsman.parliament.nz/