Over the summer holiday period, there has been intense and justified focus on the Manage My Health data breach. More than 120,000 people in Aotearoa had deeply personal health information exposed – information such as discharge summaries, referrals, and uploaded documents. Not administrative data, but the kind of information that most people never expect, or consent, to be seen outside a trusted clinical setting.
The first public responses followed a now‑familiar pattern: Management briefings, cyber security experts, technical investigations, system fixes. All of this matters – but it is incomplete. What is now playing out is not just a failure of systems, but a failure of governance.
When harm occurs at this scale, the question is no longer technical. This is about accountability.
Digital systems are no longer “tools”.
In my observer‑role work with the UN‑CSTD on global data governance, I have access to frameworks and research that help explain why breaches like this feel so confronting. One piece that strongly resonates is The Lancet and Financial Times Commission on Governing Health Futures 2030.
The main key takeaways are important for this recent data breach: digital and data systems are no longer tools – they are infrastructure. They shape how we access healthcare, how decisions are made about us, and how power is exercised, often invisibly. Once systems reach that level of influence, the central question changes. The Commission states that digital transformations are embedded in all areas of life. That question now sits at the centre of the Manage My Health breach.
Accountability that keeps shifting.
Responsibility appears to shift depending on who is speaking. The government says it’s not theirs. Providers point to management or service providers. Meanwhile, 120,000 people are left navigating fear, anger, and uncertainty about who has accessed their most sensitive information, and what that means for them now and in the future.
The breach (unfortunately) makes for a good case study in what not to do. Not to assign blame prematurely, but to understand where governance failed to keep pace with reality. This is exactly the risk global frameworks (and the Lancet article goes into more of this) have warned about for years: digital capability moving faster than stewardship.
Who is not in the room?
The Lancet Commission places strong emphasis on children and young people – and for good reason. This is the first generation to grow up entirely within digital environments. Identity, learning, income, and relationships are deeply embedded within online systems. Yet young people are rarely in the room where decisions about these systems are made.
Young people will either lead digital transformation or bear the consequences of us getting it wrong.
This is not just a youth issue. Older adults are also being rapidly moved into online‑only services in government, health, and welfare systems they did not design, and (often) if you need the service, you can’t opt out of an online portal or digital identity checks. Participation is framed as choice, but in practice it is compulsory. And when participation is compulsory, governance must go far beyond compliance checklists.
Trust is breaking down.
In December 2025, while meeting with our Australian Indigenous Governance Institute partners in Sydney, I watched an Australian morning news segment featuring a parent threatening legal action after the government banned under‑16s from social media. Her concern was that her daughter could no longer earn income from online content. I was left questioning the mother, not the child.
These debates are not really about screens. They are about who protects whom – and based on what values.
Bans and restrictions are not long‑term solutions. They are symptoms of governance frameworks failing to keep pace with systems that shape behaviour faster than regulation can respond.
Why does this matter for the Community Sector?
For the community and not‑for‑profit sector, this issue should land especially hard. Our communities are at the heart of frontline trust. We often hold information about people’s health, safety, housing, and wellbeing, and we often aren’t keeping pace with changing expectations and requirements.
As services digitise, organisations are pushed onto shared platforms and third‑party systems, while funding models reward volume and outputs rather than resilience.
When we underinvest in governance, accountability doesn’t disappear – it just gets displaced. We end up blaming the process, management, or systems instead of owning responsibility.
And that brings us back to a question: Who protects who – and based on what values?
Opinion Piece: Chief Executive Officer, Community Governance Aotearoa: Rose Hiha-Agnew
References / Further Reading
Manage My Health data breach (Aotearoa New Zealand):
- RNZ – Manage My Health data breach: timeline and impacts
- Office of the Privacy Commissioner – Information for people impacted by the Manage My Health breach
- Newsroom – Stakes are high in Manage My Health breach fallout
Global governance and health futures:
- The Lancet & Financial Times Commission – Governing Health Futures 2030: Growing up in a digital world
