The system that keeps you alive just got hacked
Aotearoa's healthcare sector is having its most serious cybersecurity reckoning.
NZ’s Cyber Security Strategy reported that around 100,000 New Zealanders had their private medical records stolen in December 2025. A health patient portal, used by GP practices across the country, had been compromised. Extortion demands followed.
Health records are not generic data. A single GP file can contain the most private moments of a person's life… a diagnosis they haven't told their family, a history of violence, details from an assault. For people whose records carry that kind of information, this is more than an abstract privacy concern.
Weeks later, a prescription app used by aged-care homes, hospices and disability services, was taken offline after patient records were found to have been tampered with.
Two major health cyber incidents within a few months of each other. Both targeting the most vulnerable people in our community. Both made possible by gaps in how we design, build and govern digital health systems. A national Cyber Security Strategy published within weeks of the second breach confirms this is no longer a backroom IT conversation.
We've been here before
In May 2021, a ransomware attack took down clinical and administrative systems across the Waikato region. Surgeries were cancelled, phone systems went dark, and stolen patient data ended up with the media. The post-incident review describes how the health data ecosystem had grown as an "emergent network over many years," largely clinician-driven and without the knowledge of IT teams. The result was a high-trust, low-security environment that turned out to be far more networked than anyone had realised. Clinical systems are designed to share data freely across trusted environments. That is what makes them work, and it is also what makes them a liability when an attacker gets in.
Poor security is rarely the result of indifference. It is usually the result of budget pressures and incentive structures that reward new clinical capability over infrastructure hardening. When the choice is between a new patient-facing system and a security uplift on a legacy platform nobody can see, the security uplift loses.
Five years on, the digital ecosystem has kept expanding, and so has its attack surface.
Health data is the most valuable data
It is worth pausing on why healthcare is such an attractive target. Health records contain everything like full legal identity, date of birth, address, ACC history, medication, diagnoses, and in many cases insurance and payment information. Unlike a compromised password, you cannot reset your medical history.
The more intimate the detail, the more useful it becomes for targeted phishing, impersonation and coercion. An attacker who knows your diagnosis, your address and your prescriptions knows enough to be convincing as your doctor, your insurer, or your pharmacy.
Reportedly nearly 57 million health records worldwide were exposed in major breaches in 2025 alone. In this environment, basic security hygiene such as credential management, patching, network segmentation and access controls is not a minimum bar but a genuine need.
The structural problem
In their 2025 Health Digital Investments Plan, Health NZ has publicly acknowledged that the health system has a “fragmented, old, and complex digital landscape”.
The implications for security are significant. Highly networked systems are hard to segment. Legacy platforms, some of them decades old, sit inside the same trusted environments as modern clinical tools. When an attacker gets into one node, the high-trust assumptions baked into the network can carry them much further than intended.
The Health Digital Investment Plan sets out an ambitious ten-year roadmap to stabilise and modernise this landscape, with cybersecurity explicitly identified as a priority. The plan includes a Ready Response to Cyber Attacks workstream, comprehensive monitoring and detection capability, secure identity management, and a patient data protection uplift. This is the right direction. But modernising a live healthcare system is like rewiring a building while the lights are still on. It requires partners who understand both the clinical context and the security disciplines involved.
Whole-of-economy challenge
In late February 2026, the New Zealand government released its Cyber Security Strategy 2026–2030, framing cybersecurity not as a technical problem but as a whole-of-economy challenge requiring shared accountability. It calls out health as critical national infrastructure. It sets four strategic objectives: understand, prevent and prepare, respond, and partner. The proposed mandatory requirements are explicitly designed to flow down through supply chains to technology vendors and managed service providers.
NZ's Health Information Security Framework already tells health organisations to review ISO 27001 in their suppliers. The regulatory floor is rising. Partners who have already done the work to meet it, certified and audited, will be considerably easier to work with.
Security is a foundation.
The right model builds security into the architecture from the start. It is the only way to build systems that can be trusted in a clinical context, where a disruption doesn't just cause inconvenience, it can directly affect patient safety.
It also requires genuine security competence in the partner delivering the work. ISO 27001:2022 certification represents a meaningful bar, it requires a documented and audited information security management system, with processes spanning risk assessment, asset management, access control, incident response and business continuity. When health organisations are selecting digital partners, it is the difference between a vendor who talks about security and one who can actually demonstrate it.
The opportunity
Although it would be easy to read all of this as a story purely about risk, there is a real opportunity for health organisations willing to act with intention.
The sector is having an honest conversation about the true cost of digital fragility, not just the financial and reputational cost of a breach, but the direct patient safety implications. Government investment is flowing. The regulatory environment is tightening. There is growing recognition that the right digital partner is not one who delivers a feature set on time, but one who takes shared responsibility for the security and resilience of the systems they help build.
For us, building the NZ COVID Tracer app (804 million QR code scans, 3.6 million registrations, Bluetooth tracing data for the entire country) required a security architecture that could withstand national scrutiny at a moment when public trust in the government's handling of personal data was under a microscope.
Organisations that invest now, in secure-by-design architectures, in certified partners, in genuine security uplift across their digital estate, will not just reduce their exposure. They will be better positioned to participate in the national digital health infrastructure taking shape over the next decade: the Shared Digital Health Record, the modernised primary care platforms, the AI-enabled clinical tools already being piloted across the sector.
Security in healthcare is a clinical obligation.
.png)