Reply To: Manage My Health hack thread
GPA’s letter requesting guidance from the Privacy Commissioner.
Today we sent the following letter to the Privacy Commissioner:
Dear Michael Webster,
General Practitioners Aotearoa (GPA) is an organisation representing general practitioners across New Zealand. Several of our members have contacted us with significant concerns regarding the consequences of the recent Manage My Health privacy breach.
We appreciate the statement published on your website for affected Manage My Health patients. However, general practitioners also require clear and practical guidance. On behalf of our members, GPA is seeking your advice regarding the appropriate process for informing affected patients, including expectations around written communication, mitigation steps, and compliance with privacy obligations.
Many GPs adopted Manage My Health in good faith, with the understanding that it was a secure and reliable patient portal. This was particularly because email is widely recognised as an unsafe medium for transmitting sensitive clinical information. As a result of this breach, many of our members have lost confidence in the platform and are now uncertain about how to proceed.
GPs are concerned about potential liability despite having relied on a system that was marketed and accepted as secure. There is significant confusion and distress among practitioners about the extent of their responsibilities when a privacy breach occurs within a third-party patient portal, particularly when their options for secure electronic communication are limited and alternative solutions are not readily available.
In particular, our members would value clarification on the extent of general practitioner liability in this context, whether additional patient notification is expected from practices beyond communications issued by the portal provider, and what practical steps should be taken to ensure compliance with privacy obligations. Clear, step-by-step guidance would help promote consistent, lawful, and patient-centred responses across primary care.
If possible, GPA would welcome a written guidance document or position statement that could be shared with general practices to support them in managing the current situation and similar incidents in the future.
Thank you for your consideration. We would welcome any advice or resources your office is able to provide.
Yours sincerely,
Dr Buzz Burrell – Chair, General Practitioners Aotearoa
On behalf of the Board and members.
chair@gpaotearoa.co.nz
027 578 0979
