Navigating Employee Privacy Amid the Manage My Health Data Breach
In late December 2025, hackers accessed sensitive medical records of around 120,000–127,000 users via the Manage My Health portal, an incident that triggered regulatory scrutiny under the Privacy Act 2020.
New Zealand employers (including healthcare providers and third-party vendors operating platforms like Manage My Health) are classified as "agencies" under the Privacy Act 2020. They must:
Collect only necessary personal data, for legitimate purposes.
Securely store and use it;
Process and share within the scope initially disclosed.
Dispose of it once no longer required.
While this breach primarily concerns patient data, it also impacts employees who might have had privileged access or whose employment data resides on the system. Under the Privacy Act, any employee-related details HR records, communications, scheduling logs are equally protected.
Information Privacy Principle 9 of the Privacy Act 2020 specifies that an agency must not retain personal information longer than necessary for lawful purposes.
Arguably this means once an employee leaves all information regarding their employment except for that required by law such as financial (payroll and holiday) records ought to be disposed of. This minimises the risk of internal misuse and reduces exposure if a wider data breach occurs.
Further under the Employment Relations Act, both sides are bound by good faith. For employers, this means transparency about data collection, processing, storage, and usage, especially when employee monitoring is involved.
The Privacy Commissioner has prosecuted cases of employees abusing access rights such as collecting unauthorized personal information and using it for personal ends even when the organisation took no active part. In the context of this breach, should any employee misuse access or share patient or coworker data improperly, the organisation could face significant legal and reputational consequences.
In BMN v Stonewood Group Ltd (2024), the Tribunal found that removing an employee’s laptop and personal USB, without clear lawful purpose, breached multiple Privacy Act principles. Stonewood was ordered to pay $60,000 in damages. This case underscores the importance of clearly stating the lawful purpose for accessing or retaining employee devices,ensuring retrieval of devices or access is transparent and lawful, having comprehensive policies and employment agreement clauses governing access to personal data.
The Manage My Health breach signals growing regulatory and tribunal attention to how datais managed within employment relationships.
Employers face dual liabilities: under the Privacy Act for data misuse, overretention, or inadequate protection; and under employment law for failing to act in good faith or breaching contractual terms.
Equipped with clear policies, transparent processes, and legal insight, organisations can better safeguard both employee and patient rights —reducing the risk of costly legal fallout.
If you need help integrating employment and privacy frameworks, or reviewing policies and agreements to ensure compliance, BuckettLaw is ready to assist.
