• Home
  • /
  • Blog
  • /
  • What the MMH Phase 1 Report tells us about “reasonable security safeguards” under rule 5

What the MMH Phase 1 Report tells us about “reasonable security safeguards” under rule 5

|

The Privacy Commissioner's MMH inquiry phase 1 report sets out what "reasonable security safeguards" actually means under Rule 5. It is essential reading for all agencies handling sensitive personal information.

27 May 2026  
Privacy, Security
Share 0
Tweet 0
Pin 0
What the MMH Phase 1 Report tells us about “reasonable security safeguards” under rule 5

The Phase 1 Report

On 27 May 2026, the Office of the Privacy Commissioner released its Phase 1 report into the cyber security breach affecting the Manage My Health patient portal. The breach affected 99,416 patients, around 91% of them in Northland. The OPC found that both MMH and Health NZ breached rule 5 of the Health Information Privacy Code.

The report contains guidance and implications for many areas of professional practice, including governance, security assessment, privacy impact assessment, contract drafting, Privacy Act compliance, and legislative reform. In this and a series of later articles, I’ll be addressing some of the more important topics and themes.

This first piece focuses on rule 5 of the Health Information Privacy Code. For anyone advising on or managing privacy compliance in New Zealand, particularly but not only in the health sector, the report’s treatment of rule 5 is essential reading. It contains what is likely the most detailed statement from OPC to date on what “reasonable security safeguards” actually requires in practice, particularly in the health sector but also in analogous contexts.

Rule 5 is not just about technical IT controls

The report makes it clear that security safeguards under rule 5 are not limited to technical IT protections. The report identifies three categories of important controls:

  • Technical controls: access controls, multi-factor authentication, monitoring for unusual activity, web application firewalls, data leakage prevention, and the like.
  • Organisational controls: such as embedding privacy and cyber security due diligence into procurement, having appropriate contractual obligations, adequate governance both during projects and once they shift to business as usual, thorough risk management documentation, contract management and assurance processes, periodic review of risks, regular testing and retesting, well-designed policies and processes, and staff vetting and training.
  • Physical controls: such as premises access, clear desk policies, etc. These were not relevant to this breach and were not assessed, but the report notes that they are part of the broader framework.

The report notes that technical, organisational, and physical controls need to work together to create a broader framework to protect personal information and mitigate information security and cyber security risks.

For those advising on security in the public sector, this will come as no surprise. All such controls and more can found within the Government’s Protective Security Requirements, NZISM, and NCSC’s Minimum Cyber Security Standards.

What’s notable here is that OPC was not only assessing some of these controls in relation to one of the country’s largest Crown entities, but was also making it clear that expectations for private sector entities entrusted with sensitive personal information cover the same dimensions (albeit not necessarily the same range of controls) as those for public sector agencies.

The message is clear: if an agency is strong in some but not all of these areas, it may still be in breach of rule 5.

“Reasonable” is proportionate to risk, not to size

The report addresses head-on the question of what “reasonable in the circumstances” means. The Privacy Commissioner’s position is two-fold: reasonableness is not a low threshold, and the more sensitive the personal information, the stronger the protections must be.

Agency size and resources can influence what is proportionate and practicable. But a small agency whose business is to handle high-risk information will not be held to a lower standard because of its size or because security costs money. It will still be expected to have strong and effective protections. The nature and number of those protections may differ from those a larger agency would deploy, but the standard remains high.

MMH is a small, closely held company, but the report is clear: because its entire business focuses on handling and storing sensitive health information, rule 5 requires it to have very strong technical and operational security safeguards in place.

The standards the Commissioner considers relevant

The report identifies several standards and frameworks that, in the Commissioner’s view, help to inform what rule 5 requires. The report notes that OPC does not enforce these standards, but treats them as useful aids to interpretation. In practice, that means agencies that comply with them will be better positioned to demonstrate compliance with rule 5, and agencies handling sensitive personal information that fall short of them may have difficulty arguing that their safeguards were “reasonable”.

The key standards referenced are:

  • The Health Information Security Framework (HISF), issued by the Health Information Standards Organisation (part of Health NZ). OPC considers this particularly useful because it sets out expectations specific to New Zealand health agencies and reflects what the sector has determined is practicable and proportionate for each category of agency.
  • The National Cyber Security Centre (NCSC) Minimum Cyber Security Standards.
  • ISO/IEC 27001 and related international information security standards.
  • The National Institute of Standards and Technology (NIST) frameworks.

The report notes that the HISF broadly aligns with the international standards but provides greater health sector specificity. For patient portal providers, the relevant HISF sections are those that apply to health sector suppliers.

Not merely documents but effective controls

Perhaps one of the most pointed observations in the report is that compliance is not merely about whether an agency can show it has a variety of documents, processes, or controls that are listed in a framework. “Instead,” it says, “the question often is whether safeguards relevant to the risks involved were operating effectively in practice at the time of the incident.”

This is one of the ways in which MMH is said to have come unstuck. It had some security testing, some governance documentation, some risk management processes, and some monitoring tools. But the inquiry found that, in practice, those controls were not sufficiently effective. It is said that vulnerabilities were repeatedly identified and marked as fixed, only for similar issues to reappear later. Monitoring did not detect the breach. Risk management processes did not ensure that safeguards were actually working.

OPC found seven areas in which protections were said to be ineffective (the first seven below), and three where only partially effective protections were in place. The report discusses each in detail but for present purposes we can list the combined ten areas:

  • the need for multifactor authentication
  • identity and access management
  • web security
  • patch and vulnerability management
  • system acquisition, development, and maintenance
  • logging and monitoring
  • data leak prevention
  • governance, oversight and risk management
  • information security incident management, and
  • change management.

Although not relevant to this particular breach, OPC also took the opportunity to list other potential areas of vulnerability that third party suppliers such as those providing health portals “would be wise to consider”. It said these include:

  • supply chain management
  • test environment management
  • cloud security
  • endpoint security
  • information backups
  • cryptography
  • business continuity, and
  • asset management.

OPC’s findings and this additional list of areas of vulnerability have clear implications for privacy/security impact assessment, contract drafting, and in some cases procurement processes. (There are nuances here that may be explored in a subsequent article.)

OPC’s position is that “set and forget” is not acceptable, particularly in dynamic digital environments. Controls must be periodically reviewed, tested, and validated. The report also recommends looking beyond individual vulnerabilities to underlying causes, so that agencies can stop problems from resurfacing.

The report also notes that over-reliance on a vendor’s information about its security and privacy risk profile can be problematic. “A degree of independent assessment”, it says, “is essential”.

What this means for agencies beyond the health sector

OPC explicitly recommends that all agencies handling sensitive personal information, or engaging third parties to do so, should review the findings of the inquiry. IPP 5 of the Privacy Act and rule 5 of the Health Information Privacy Code are largely identical, and the report’s findings about what constitutes reasonable security safeguards apply equally or similarly in analogous contexts.

If your agency holds sensitive personal information, whether in health, education, social services, financial services, or any other sector, it seems the standards set out in this report are the benchmark that OPC will apply.

Got a matter you're working through?

Happy to discuss it on a short call. No obligation.  I'll tell you if it's something I can help with.

Get in touch 

ALSO ON THE BLOG

You may be interested in.

 ALL POSTS 

Health practitioners, Privacy

24 May 2026

Dear health practitioners, please be aware of the limits of HIPC rule 3A

AI, Privacy

23 May 2026

Do you really know what your AI tool is doing? If you don’t read its terms, you may not

AI, Privacy

22 May 2026

Your AI tool just generated new information about your client. Do you know what IPP3A requires?