Manage My Health: A case study in crisis comms mismanagement
The Manage My Health (MMH) cyber breach of late December 2025 will be remembered as one of New Zealand’s most serious health data incidents. People expect their personal data to be kept safe and secure by the businesses they entrust with it.
Any breaches of privacy are extremely troubling, but data relating to personal health and wellbeing is particularly sensitive.
When more than 120,000 patients’ data was hacked from the MMH platform, users were understandably anxious.
The company’s slow and inadequate communication left users exposed, with no real assurance about how the incident was being handled and no guidance on whether their data was at risk or if they should take any action.
The response was a textbook failure in issues management and being unprepared for when – not if – a cyber incident occurs.
What will endure is reputational damage; a failure to communicate with speed, clarity, and leadership when it mattered most.
A slow response in a fast‑moving crisis
MMH identified unauthorised access on 30 December 2025. Within days, hackers were publicly threatening to release hundreds of thousands of medical files unless a ransom was paid.
Media broke the story on New Years Eve, which was when many patients and clinicians were hearing about this for the first time.
It’s unfathomable that patients and clinicians found out about the breach from reports in the media, rather than direct stakeholder comms from Manage My Health.
From a trust perspective, this is a critical failure. Best practice incident response requires early acknowledgement, even when all facts are not yet known.
Reputational damage is rarely caused by the initial event alone; it is shaped by how an organisation responds once an issue erupts into public view. In the MMH case, the communication response did not merely lag, it actively worsened the situation.
For a critical early window, patients and GPs had no idea if they were affected.
From here, coverage intensified. Experts warned of identity theft and extortion risks, and anxiety among patients and clinicians escalated rapidly.
Best practice issues management calls for early acknowledgement, even when information is incomplete – paired with clear explanations of what is known, what is not, and what the company is focused on next.
Of course, all of the above needs to be wrapped in an empathy for those impacted. These are people who are worried about their personal health data, not a box to be ticked in a response matrix.
In an environment where news spreads instantly and trust erodes quickly, waiting for certainty before speaking is an outdated and dangerous approach.
In this case, silence created a vacuum – and that vacuum was quickly filled by speculation, criticism, and fear.
Stakeholders were treated as an afterthought
One of the most damaging aspects of the MMH response was the apparent lack of stakeholder prioritisation.
When issues erupt, organisations must immediately map and sequence stakeholders – identifying who needs to hear from you first, directly, and personally.
MMH failed this test on two critical fronts:
Patients, whose most intimate data was at risk, were left in the dark while ransom threats circulated publicly.
GP practices, who rely on MMH daily and act as intermediaries for patients, were left uninformed during a holiday period.
In healthcare, this is not simply a communications misstep. It is a breach of trust.
In the absence of clear leadership communication, the narrative was shaped by hackers accelerating deadlines and mocking the company’s silence, cybersecurity experts warning of blackmail and identity theft, and politicians publicly expressing frustration.
When Health Minister Simeon Brown felt compelled to publicly urge clearer communication, it underscored how far the situation had escalated beyond MMH’s control.
In a crisis, if you are not leading the conversation, you are losing it.
While MMH did eventually acknowledge these shortcomings, it was already too late – anxiety had peaked, trust was eroded, and industry confidence in the platform was shaken.
The hard truth for organisations handling sensitive data
The MMH breach should be a wake‑up call for every organisation operating in high‑trust, high‑stakes environments.
Cyber incidents may be unavoidable. A reputational crisis is not.
Issues management is not about spin or suppression – it is about decisive, human‑centred leadership under pressure.
MMH didn’t fail only because it was attacked; it failed because, once the breach occurred, its slow and unclear communication accelerated the collapse of user confidence.
One of the company’s biggest failures – beyond the breach itself – was underestimating how quickly trust erodes when people are left without information that directly affects them.
In crises involving data, communication is harm reduction. When it is delayed or diluted, the organisation becomes the second incident.
That is the real communications lesson to be learnt here, one New Zealand businesses should be taking note of for their own reputation.
____________________________________________________________________
Need help managing a reputational issue or preparing for a crisis?
Houston Issues Management is a service within Pead. We understand that one issue, big or small, can derail sales, damage relationships, and shake team culture. Whether you're facing a sensitive stakeholder situation, a media storm, or simply want to future-proof your reputation, our team of senior communications experts is here to help.
We offer a proven four-phase methodology – Prepare, Train, Activate, Reignite – designed to support organisations before, during and after a crisis. From risk assessments and stakeholder mapping to real-time strategic counsel and full brand recovery campaigns, we bring clarity, calm and control when it matters most.
Our specialists have helped clients across industries navigate complexity, protect trust, and emerge stronger. If you're looking for a safe pair of hands and a team that has seen it all before, you've found them.
Contact us at info@HoustonIM.co.nz to learn more about our services and bespoke training courses in this area, and how we can help you.