The recent breaches of ManageMyHealth and Neighbourly have exposed more than just personal data—they’ve revealed a troubling pattern in how New Zealand companies treat our most private information. While the media focus inevitably turns to shadowy hackers and ransom demands, we’re missing the elephant in the room: the companies who promised to protect our data and failed spectacularly.
First up – let’s be clear: They call it ‘data’, but they should call it ‘our personal and private information’. Data sounds like a bank account number or a tax number, but what has been stolen is far more than that and far more personal and private than that. We all have an inherent right to privacy. No one has the right to know my birthdate, my shoe size, my blood type, my income, my medical history, my education qualifications, my DNA, my address, my thoughts about immigration… So let’s not faff about calling this a data breach, it’s a broken promise to protect my privacy, a fundamental breach of respect of me as a human being.
The Breach Playbook: Rinse and Repeat
By now, we know the script by heart. A company discovers unauthorized access to their systems. Days pass before the public learns anything. Eventually, an announcement arrives with all the warmth of a legal department draft: “We take data privacy seriously… working with authorities… implementing additional security measures… deeply regret any concern this may have caused.”
ManageMyHealth followed this playbook to the letter. After claiming on New Year’s Eve that the breach had been “contained,” they revealed the next day that up to 126,000 patients were affected. The hackers—calling themselves “Kazu”—now threaten to release over 400,000 files including clinical notes, lab results, passport details, and intimate photographs unless they receive $60,000.
Neighbourly’s breach is equally serious, with GPS coordinates, private messages, and personal posts from up to one million Kiwis now for sale on the dark web. The bitter irony? Their website still promotes itself with the tagline: “your personal information is safe.”
Crime One: The Hackers (Maybe)
Yes, the hackers—if they truly exist as independent actors and not as part of a more complex scenario—are criminals. They’ve stolen data, issued threats, and are attempting extortion. Health Minister Simeon Brown correctly notes these are “criminal actors who act with criminality.”
But let’s be honest: hackers exist. They always have, and they always will. Blaming hackers for a data breach is like blaming rain for your roof leaking. The rain isn’t the problem—your defective roof is the problem.
Crime Two: Corporate Negligence
This is where we need to shift our focus. These companies collected our most sensitive information—medical records, home addresses, private conversations, GPS coordinates—with explicit promises of security. They built their entire business models on public trust. And then they failed to maintain that security to an acceptable standard.
Patrick Sharp from Aura Information Security explains that websites are “very complex systems” that undergo constant updates, and “unless they maintain a high degree of security during the development process and the update process, those vulnerabilities can be quite impactful.”
In other words: they knew the risks. They had the responsibility. They failed anyway.
Consider what’s now exposed from ManageMyHealth: your medical history, mental health records, test results for sensitive conditions, photographs of your body. This isn’t just “data”—it’s your dignity, your privacy, your security. As cyber security expert Paul Spain warns, in some cases this information “could actually put people’s lives at risk.”
The Apology Industrial Complex
What frustrates most is the predictable response. A carefully worded statement. Passive voice everywhere. “Mistakes were made.” “The incident occurred.” Never “We failed to protect your data” or “Our security was inadequate.”
Then comes the promise: enhanced security measures, third-party reviews, lessons learned. But here’s the uncomfortable truth—these measures should have been in place before collecting sensitive data from hundreds of thousands of people. You don’t get credit for locking the door after the burglars have left.
Minister Brown has ordered a review and stated “I think it’s pretty unacceptable what’s happened to be honest.” He’s right. But will there be real consequences? Will companies face meaningful penalties for failing to protect data they promised to secure? Will there be enforceable standards that prevent this from happening again?
The “She’ll Be Right” Attitude
Spain identifies a troubling cultural dimension: “We seem to have a kind of ‘she’ll be right, mate’ attitude to cyber security in New Zealand.” It’s surprising, he notes, “how many organisations don’t get regular cyber security audits carried out or have a good level of clarity around where their risks are.”
This casual approach might work for a backyard barbecue, but it’s criminally negligent when applied to health records and personal information. An organisation the scale of Stuff (which owns Neighbourly) or a platform managing 1.8 million medical records should be held to the highest security standards—not because regulators force them to, but because the nature of their business demands it.
What Needs to Change
First, we need accountability. Companies that fail to adequately protect personal data should face penalties severe enough to make proper security measures the obvious financial choice. The cost of a breach should exceed the cost of prevention—dramatically.
Second, we need transparency. When did ManageMyHealth actually discover the vulnerability? How long had it existed? What specific security measures were missing? The public deserves answers, not PR spin.
Third, we need to question the whole model. Do these companies need to hold all this data? Can they minimize what they collect? Can they implement better encryption and security by design rather than as an afterthought?
Finally, we need to stop treating data breaches as natural disasters. They’re not acts of God—they’re failures of corporate responsibility. Hurricane damage is tragic but unavoidable; data breaches from inadequate security are neither.
The Real Victims
Lost in all this are the actual victims: elderly Neighbourly users who might now fall prey to sophisticated scams using their GPS locations; patients whose medical conditions become public; people whose most vulnerable moments are now commodified on the dark web.
As Sharp warns, affected individuals—particularly vulnerable or elderly people—need help understanding and vetting any unsolicited contact they receive. The aftermath of Australia’s 2022 Medibank breach resulted in “tens, or maybe hundreds of thousands of actual financial crimes.” We may be seeing just the beginning.
A Call for Change
The next time you hear about a data breach, ask yourself: why are we spending so much time talking about the hackers and so little time demanding accountability from the companies who failed in their duty of care?
Both are crimes. But only one could have been prevented by the people we trusted with our information.
It’s time New Zealand wakes up to the second crime—the one hiding in plain sight behind carefully crafted apologies and promises of “lessons learned.” Because until companies face real consequences for failing to protect our data, these breaches will keep happening, the apologies will keep coming, and we’ll keep pretending this is just about hackers.
It’s not. It’s about trust betrayed and responsibility abandoned.
And that’s a crime we can actually do something about.
What do you think? Should companies face harsher penalties for failing to protect our data? Should the people whose personal information is given away be compensated? Share your thoughts in the comments below.
eN-Zed 