Notes from the Asia-Pacific region: NZ government releases Cyber Security Strategy, Privacy Act reform on the table

Yet another privacy breach has impacted New Zealand's health sector, further shaking an already shaken community and calling into question the sufficiency of the country's cybersecurity settings and privacy law. Setting aside the harmful impact this breach has had on health consumers, this appears to have been the catalyst we needed to get a Privacy Act civil penalty regime on the table.

On 22 Feb., MediMap — a private portal used by aged-care homes, hospices, disability services and community health providers to coordinate prescriptions and record medication histories — was taken offline after it was discovered that some patient records had been tampered with by an unauthorized actor. MediMap's early investigations identified changes to fields including names, birthdates, assigned prescriber, and location of care and resident status, with some living patients incorrectly marked as "deceased."

For privacy professionals, this event is unsettling not only because of the direct impact on individuals and clinical operations, but also because it follows other high-profile breaches — notably the Manage My Health breach in late 2025, which involved the exfiltration of hundreds of thousands of medical documents. Taken together, these events suggest a broader pattern of cyber risk in health tech that goes beyond isolated vendor errors.

Several key themes are starting to emerge. First is the need for clarity of expectations. What baseline technical and organizational safeguards should be required for systems handling highly sensitive health information? Mandatory controls — for example, multifactor authentication, encryption at rest and in transit, regular independent security audits and incident response obligations — could help raise the floor of protection.

Second is making sure the health sector understands who is really accountable for ensuring these baseline safeguards are in place. It is alarmingly clear from these recent breaches that many organizations in the health sector do not fully understand their accountabilities and responsibilities when engaging third-party vendors such as MediMap. 

Health NZ, for example, was quoted as stating that "as a privately owned company, it is MediMap that is solely responsible for its security and it needs to do everything it can." This is wrong; the health agencies using MediMap are responsible. Until this distinction is fully understood, we will continue to see breaches caused by a lack of appropriate due diligence.

Last but certainly not least, this breach has resurfaced calls to further strengthen the NZ Privacy Act 2020. New Zealand's Prime Minister Christopher Luxon has publicly underscored the need to "strengthen our cybersecurity laws." It appears this was not just hyperbole. On 27 Feb., New Zealand's Department of Prime Minister and Cabinet published the Cyber Security Strategy 2026-2030, with the vision for a New Zealand that embraces "cyber security to enable innovation, drive a prosperous economy and protect our digital way of life." 

This strategy, and the associated Cyber Security Action Plan 2026-2027, provides the first concrete signs that the NZ Privacy Act might finally be strengthened. In addition to a multitude of actions to provide critical infrastructure operators — including health tech providers — with clarity and guidance on cyber resilience, the Action Plan tasks the Ministry of Justice with providing advice on: options to incentivize the protection of personal information from cyber threats, such as introducing a civil pecuniary penalty regime to the Privacy Act; and a potential new offense targeted at people who view, possess or disseminate personal information when they are aware it has been illegally obtained.

The MediMap breach should not be viewed as an isolated failure of one vendor's security controls, but as a stress-test of the wider regulatory and governance architecture surrounding digital health in New Zealand. The health sector needs certainty about minimum safeguards, certainty about who carries responsibility, and certainty that sensitive health information is treated as critical infrastructure. Until those lines are clear — in statute, in contracts and in governance practice — the sector risks learning the same lesson repeatedly, one breach at a time.