133 Molesworth Street
PO Box 5013
Wellington 6140
New Zealand
T+64 4 496 2000
23 February 2026
Sam Malik
By email: [FYI request #33559 email]
Ref:
H2026077775
Tēnā koe Sam
Response to your request for official information
Thank you for your request under the Official Information Act 1982 (the Act) transferred to the
Ministry of Health – Manatū Hauora (the Ministry) on 23 January 2026.Your queries are
responded to in turn:
1. Ministerial/Privacy performance, delays, and compliance
a. Copies of internal reports, dashboards, or analyses (including metrics, KPIs, or
performance data) showing MOH or Health NZ’s compliance with OIA timeliness
obligations for the 2024 and 2025 calendar years.
Please find attached copies of documents within scope of your request. These are standard
internal six-monthly reports provided to the Ministry’s Operational Leadership Team on the
Ministry’s performance against its obligations under the Act, including the proactive release of
Cabinet papers. This reporting aligns with the timing of the Public Service Commission’s release
of OIA statistics and the Of ice of the Ombudsman’s publication of complaints data.
We note that no formal memoranda had been produced for the two most recent reporting
periods (January – June 2025 and July – December 2025) as the Ministry is currently
reconsidering the format and frequency of this reporting. Some information has been withheld
under section 9(2)(a) of the Act, to protect the privacy of natural persons, I have considered the
countervailing public interest in releasing information and consider that it does not outweigh the
need to withhold at this time.
b. Any reviews, audits, or internal evaluations of OIA handling processes undertaken
since 1 January 2024, including action plans or changes implemented in response to
findings that OIA performance was below statutory requirements.
The Ministry’s performance measure for handling requests under the Act is that 95% of received
requests are responded to within statutory timeframes, as reported in the Ministry’s Annual
Report. The Ministry has not been below 95% timeliness since 2018, therefore there have been
no findings of non-compliance that would have necessitated an internal audit, review, or report
in response to such findings. No information is within scope of this part of your request. This
part of your request is refused under section 18(g)(i) of the Act as the information requested is
not held by the Ministry and there are no grounds for believing it is held by another agency
subject to the Act.
c. Records of any correspondence between MOH, Health NZ and the Office of the
Ombudsman regarding delays, refusals, or compliance obligations, including the agency’s
responses to Ombudsman findings in last calendar year.
d. Records of any correspondence between MOH, Health NZ and the Office of the Privacy
Commissioner regarding delays, refusals, or compliance obligations, including the
agency’s responses to Privacy Breach findings in last calendar year.
The Ministry has no information regarding c
orrespondence between the Ministry, Health New
Zealand and the Office of the Ombudsman/ Privacy Commissioner regarding delays, refusals,
or compliance obligations, including the agency’s responses to Ombudsman findings in last
calendar year. Therefore, this part of your request is refused under section 18(g)(i) of the Act.
Correspondence between the Office of the Ombudsman/the Office of the Privacy Commissioner
regarding findings or cases is not considered under the Act and therefore is refused under
section 2(1)(i). The Act does not encompass information contained in any correspondence or
communication which has taken place between the Office of the Ombudsman and any public
service agency or Minister of the Crown or organisation and which relates to an investigation
conducted by an Ombudsman under this Act or under t
he Ombudsmen Act 1975, other than
information that came into existence before the commencement of that investigation.
5. Data governance for digital health systems
a. Any reports, risk assessments, or governance documents relating to the ManageMyHealth
patient portal data breach and subsequent cybersecurity improvements, including full timelines
of corrective actions taken by Health NZ or the Minister or Ministry.
ManageMyHealth (MMH) is a privately-operated online patient portal used by some healthcare
providers (e.g. general practices) to share health information with their patients. The cyber
security breach in late December 2025 involved access to documents stored in the ‘My Health
Documents’ section of the portal including hospital discharge summaries and documents
uploaded by patients themselves.
The Ministry does not have a contract with MMH, and as a private company, it is not under the
operational control of the Ministry. While it is not subject to the Of icial Information Act 1982, it is
subject to the obligations set out in the Privacy Act 2020 and the Health Information Privacy
Code 2020. MMH has been cooperating with Health New Zealand (Health NZ) as the lead
agency for the All of Government response to the incident.
To date, the All of Government Incident Management Team led by Health NZ as the lead
agency, has been providing the Minister of Health and other Government agencies with updates
on the incident. Health NZ is assisting MMH as it goes about notifying, communicating and
supporting impacted patients and health providers that use the service. MMH has also been
Page 2 of 3
granted interim injunction orders to prevent third parties using stolen health data that may be
posted from the incident.
The Office of the Privacy Commissioner (OPC) is New Zealand’s privacy regulator and has the
statutory mandate to enforce the Privacy Act and the Code. As required, MMH reported the data
breach to the OPC. The Privacy Commissioner wil undertake an independent inquiry into the
incident. More information can be found via its websit
e https:/ www.privacy.org.nz/.
The Minister of Health has commissioned the Ministry to undertake an independent review. The
review, developed in consultation with the Government Chief Digital Of icer and the National
Cyber Security Centre, commenced on 29 January 2026 and wil examine the causes of the
incident, assess the response, and provide recommendations to strengthen protections for
health information going forward.
We aim to complete the review by the end of April 2026. The Review’s scope and Terms of
Reference can be found on the Ministry’s website:
www.health.govt.nz/strategies-
initiatives/programmes-and-initiatives/manage-my-health-data-breach.
The Ministry wil not be making any public comment while the review is underway and cannot
predetermine the outcome of the review’s findings.
Therefore, the information in scope of your request relates to information about the security
settings and information that is subject to a current incident which is still active. This information
is refused under section 6(c) of the Act as its release would likely prejudice the maintenance of
the law, including the prevention, investigation, and detection of offences, and the right to a fair
trial.
If you wish to discuss any aspect of your request with us, including this decision, please feel
free to contact the OIA Services Team on:
[email address].
Under section 28(3) of the Act, you have the right to ask the Ombudsman to review any
decisions made under this request. The Ombudsman may be contacted by email at:
[email address] or by calling 0800 802 602.
Please note that this response, with your personal details removed, may be published on the
Ministry website at:
www.health.govt.nz/about-ministry/information-releases/responses-official-
information-act-requests.
Nāku noa, nā
Celia Wellington
Deputy Director-General
Corporate Services | Te Pou Tiaki
Page 3 of 3
