Another Day, Another Data Breach
In the wake of the Manage MyHealth data breach, many New Zealanders are now facing the prospect that their health and personal information is no longer private.
The New Zealand Government (Health Minister Simeon Brown) is commissioning a review of the Manage MyHealth cybersecurity breach noting: “We must learn from this incident to avoid any repeat events in the future.”
The purpose of this review will be to;
- assess the cause(s) of the incident,
- review the adequacy of data protections that are in place and the response to the incident, and
- recommend any improvements required to prevent similar incidents occurring.
The Manage MyHealth data breach is clearly the catalyst for this review. However, there is a broader issue that warrants consideration, not just in New Zealand but globally.
To participate in the digital economy, you have to pay – and you pay with personal data.
Name, address, phone number, date of birth, copies of passports or driver licences.
This information is routinely requested by employers, utilities, service providers, and institutions across daily life.
Most New Zealanders operate on a high-trust model, often without visibility of how widely this information is stored, shared, or retained.
The New Zealand Privacy Act was updated in 2020, with a key principle that organisations should only collect identifying information where it is necessary to provide a product or service. Health services do present genuine challenges in this regard, however the structure of the system itself remains flawed.
It is not a question of if another breach will occur, but when.
The challenge is not whether digital systems can be made secure, but how participation in the digital society can be decoupled from permanent exposure.