Security Assurance for ManageMyHealth
Ron M made this Official Information request to Health New Zealand
This request has an unknown status. We're waiting for Ron M to read a recent response and update the status.
From: Ron M
Dear Health New Zealand,
Hoping you can help answer the following request for information.
If you could please:
1. Provide the most recent security assurance artefacts Health NZ held about ManageMyHealth (or the relevant legal name of the vendor) prior to the security breach incident, such as but not limited to:
security assessments,
audit reports,
pen test summaries/executive summaries,
SOC 2/ISO 27001 attestations (if any),
risk acceptance documents.
2. Provide any risk register entries (or equivalent) relating to ManageMyHealth (or patient portals / third-party patient-facing platforms), including risk owner and treatment status.
3. Provide records of any known vulnerabilities, audit findings, or exceptions related to this service, and evidence of how/when they were remediated or accepted.
This request is not to expose technical details and only to understand findings, severity, and remediation status.
Yours faithfully,
Ron
From: hnzOIA
Tçnâ koe,
Thank you for your email.
Under the Official Information Act (OIA), agencies are required to respond
to requests for official information as soon as reasonably practicable and
no later than 20 working days after receiving them.
Please note that the period from 25 December 2025 to 15 January 2026
(inclusive) is not counted as working days under the OIA. As a result, any
OIA requests received on or after 29 November 2025 may take longer to
process than usual, as the maximum response timeframe may extend into the
new year.
If your request is for data that Health NZ holds, have you checked
[1]Lighthouse first to see if the data you are seeking is already
published?
Lighthouse is a searchable catalogue that makes a range of data and
analytics products available to New Zealanders to enable easier, faster
access to insights about health services.
You can find further information about how OIA timeframes are calculated,
including the Ombudsman’s OIA calculator, at the link below:
[2]Official information calculators | Ombudsman New Zealand
We will provide a response to your request in line with the statutory
timeframes set out in the OIA.
We appreciate your understanding and patience during this time.
Ngâ mihi,
Health NZ | Te Whatu Ora.
Statement of confidentiality: This email message and any accompanying
attachments may contain information that is IN-CONFIDENCE and subject to
legal privilege. If you are not the intended recipient, do not read, use,
disseminate, distribute or copy this message or attachments. If you have
received this message in error, please notify the sender immediately and
delete this message
References
Visible links
1. https://www.tewhatuora.govt.nz/for-healt...
2. https://www.ombudsman.parliament.nz/agen...
Things to do with this request
- Add an annotation (to help the requester or others)
- Download a zip file of all correspondence (note: this contains the same information already available above).
Offensive? Unsuitable?
Requests for personal information and vexatious requests are not considered valid requests for Official Information (read more).
If you believe this request is not suitable, you can report it for attention by the site administrators
Report this requestAct on what you've learnt
Similar requests
Complaints Regarding Team Medical Paraparaumu (March 2020 – Present)
To Health New Zealand by Juanita
