Manage My Health, an online patient portal and app that stores health information for over 1.8 million New Zealanders, was recently hacked by a ransomware group named Kazu. The hackers threatened to release the health information of over 120,000 New Zealanders unless a ransom was paid. A government review has been commissioned, and Kiwis are now on higher alert about their data safety.
Privacy lawyers have called for a review into what punishments companies can face for breaching user privacy. Manage My Health has started notifying the affected users. But how should organisations announce that their users’ data has potentially been breached?
In New Zealand, the main legal consequences for an organisation that suffers a user data breach come from the Privacy Act 2020. Under it, organisations must assess whether the incident is considered a “notifiable privacy breach”, meaning it’s likely to cause serious harm to the people whose data was exposed.
Under the Privacy Act 2020, a privacy breach is defined as unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal information. It can also include an incident that prevents an agency from accessing personal information, either temporarily or permanently. Someone inside or outside the organisation may cause a breach that may be attributable in whole or in part to the agency’s actions and can be ongoing.
If serious harm is likely, the organisation must notify both the Office of the Privacy Commissioner and the affected individuals as soon as possible. In practice, that notification needs to do more than acknowledge the breach occurred. It should clearly explain what happened, what types of information may have been accessed, and what steps are being taken to contain the situation.
“It is obvious that once people affected by a data breach come to know of it, they will be worried about their safety and their data. The best practice, therefore, after a data breach is to communicate quickly and clearly to affected users,” says Dr Vimal Kumar, Senior Lecturer and Head of Cyber Security Lab, The University of Waikato.
Accuracy is as important as transparency. Organisations should avoid speculation, vague wording, or minimising language, particularly while an investigation is still underway. Instead, the message should focus on what is known, what is still being confirmed, and when the next update will be provided.
Companies that store historical user data from users who no longer use their services can be problematic. Some former users of Manage My Health have seen their long-standing data at risk. “It should not be the patients’ responsibility to delete such old accounts if they did not individually get into a contract with the platform,” Kumar says.
“Security can be strengthened and security lapses minimised, but it can never be guaranteed that breaches will not happen. In addition to standard security practices, organisations should be very mindful of keeping data that is no longer needed. We definitely need stricter regulation and penalties for failure to comply.”
For affected users, guidance should be practical and specific. That can include recommendations such as changing passwords, enabling multi-factor authentication, monitoring accounts for unusual activity, and being cautious about phishing scams that may follow a publicised breach.
When companies delay disclosure or fail to provide meaningful updates, they risk further damaging trust. With cyberattacks increasingly targeting essential services such as healthcare, organisations are under increasing pressure to handle these incidents with a careful balance of urgency and accountability.
Effective crisis communication
Public-facing communication after a cybersecurity incident should be treated as part of the incident response itself. New Zealand’s National Cyber Security Centre (NCSC) warns that communication is often overlooked in the early stages of incident management. Yet, it can strongly influence how customers, stakeholders, and the wider public interpret and respond to the event.
The first announcement should be quick, calm and factual. It should still acknowledge that some details may not be confirmed. The NCSC recommends that organisations strike a balance between sharing clear information people need and avoiding sensitive details that could worsen the situation or even help attackers.
What you don’t know can be just as important as what you do know. What the public doesn’t know can be just as valuable as what they do know. Gaps in information should be noted so messaging can evolve responsibly as new facts emerge. Crisis messaging should also assume that anything said publicly could reach the media, even if it is intended for a limited audience.
To support consistent messaging, the NCSC recommends appointing a Communications Lead as part of an incident response plan, a person responsible for approving public and stakeholder communications and for ensuring consistency across channels. This helps avoid situations where different teams release conflicting or incomplete statements, which can fuel uncertainty and speculation online.
The NCSC suggests that even a brief holding statement is better than silence, because refusing to engage can result in organisations losing control of the narrative and allowing misinformation to fill the gap.
The NCSC cautions against creating a new email address solely for breach communications, as it may appear suspicious or fake to recipients. Instead, communications should be delivered through established systems such as official websites, verified social media accounts, and existing email or app notification channels.
Beyond reputation management, organisations also have a broader public safety role in how they communicate during cyber incidents. The NCSC notes that real-world incidents often prompt people to become more cautious online, from treating unfamiliar messages with suspicion to avoiding links and taking steps to protect themselves.
That means breach announcements are a valuable opportunity to strengthen cyber literacy in the moment, by giving users clear advice on practical actions such as watching for phishing attempts, verifying communications through official channels, and seeking support if something appears unusual.
SPONSORED
