News

Independent review identifies cyber security need for New Zealand health system

An independent review into a patient portal data breach and cyber incident in New Zealand has identified a need for stronger cyber security across the nation’s health system, suggesting the incident should be viewed as a “call to action”.

The breach was reportedly detected in December 2025, with unauthorised access being made to a patient portal and sensitive personal health information being stolen. The review found that this could have been prevented, citing weaknesses in technical controls and incident preparedness, as well as issues with the management of cyber risks across third-party suppliers.

“Significant security control gaps” were present in the portal, and known risks had not been addressed, the review highlights. As a result of the breach, patient communications were delayed, with identified impact including “confusion and a loss of trust”. Although improvements have been made since this time, the review indicates more still needs to be done in terms of assurance, including stronger oversight of third-party suppliers storing sensitive health data.

Within three months, the portal should undertake further penetration tests on its web and mobile apps, the review recommends. Clarification should also be sought on any critical services provided to portal by third-party suppliers, to better understand the nature of the contract in place, and what patient data is involved.

Over the next six months, more should also be done to strengthen supplier compliance with the national Health Information Security Framework, and a register should be kept of any suppliers that store or process sensitive health information “tiered by risk factors” such as volume and criticality to care delivery. Regular tabletop exercises with critical suppliers to better define roles and responsibilities are recommended over the next 12 months.

“The report concludes that the incident should be treated as a call to action for the health sector, highlighting the need for stronger system stewardship and more consistent management of cyber risk,” the Ministry of Health shares.

Wider trend: Cyber security 

For a recent HTN Now webinar, we were joined by digital leaders from across the health sector for a deep dive into cyber security in healthcare, exploring strategic challenges, preparedness, recovery, and how best to embed resilience into clinical, technical, and governance frameworks. Making up our panel were Nasser Arif, cyber security manager at London North West University Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust; Lee Rickles, CIO at Humber Teaching NHS Foundation Trust; and Andy Wilcox, Imprivata’s senior product marketing manager.

In a separate panel discussion on the topic of clinical continuity and cyber resilience, HTN was joined by experts from across the health sector, including Alan Simpson, CISO at Rapid7; Stuart Cooney, CTO at Royal Berkshire NHS Foundation Trust; and John Mitchell, assistant director of digital at Humber and North Yorkshire ICB. Our panel considered the evolving threat landscape, current capabilities, emerging technologies, and best practices for ensuring resilience both now and in the future.

The board of NHS England has ranked a cyber incident higher on its organisational risk registers than a pandemic, following an assessment of mitigations and preparedness already in place, likelihood, and impact. The cyber risk target score has been set at 16 by 2030, which NHSE claims offers closer alignment with the cyber strategy lifecycle, whilst remaining “above appetite” due to persistent external threat levels, “variable sector maturity”, and a reliance on supplier assurance and recovery planning. A simulation exercise is scheduled to take place in July with a small sample of NHS organisations, to help evaluate resilience to a cyber event, looking at ability to maintain critical services and coordinate a national response during a prolonged period of disruption.