Healthcare & Aged Care
A patient's trust takes years. A data breach takes an afternoon
For NZ general practices, specialists, PHOs, and aged care — written for the patient record altered overnight, the breach letter that has to go out Monday morning, and the Health Information Privacy Code question no one wants asked on the spot.
Sector Reality
The question a customer or insurer asks before the deal
It rarely starts with a breach. It starts with the Privacy Commissioner asking what the HIPC pack actually contains
Waiting costs more in health. A patient access request becomes a deadline. A HIPC gap becomes a Commissioner notification. A DHB subcontractor question becomes a lost referral pipeline. None of them are clinical emergencies. All of them take longer to fix than the original question
Common Pressure Points
Where the questions cluster before the deal lands
Where the Privacy Commissioner, Te Whatu Ora, the practice manager, and the primary-care parent all ask for different slices of the same record
A patient record gets altered overnight. No one can say by whom
A record shows a change at 2am — made under a login that's shared across four reception staff, one locum, and a part-time nurse who left last month. The Privacy Commissioner, a patient's lawyer, or an insurer won't accept 'we don't know.' Without individual login ownership, the investigation starts in a hole nobody can climb out of.
Monday 8am. A patient calls about a letter from a sender you don't recognise
Under the Privacy Act and the Health Information Privacy Code, the breach clock started the moment the incident was known, not the moment someone writes the notification. Practices without a written response plan spend the first eighteen hours arguing about who calls the lawyer, who calls the Privacy Commissioner, and what the letter to patients should actually say. The news cycle doesn't wait.
The sector's weakest link sets the tempo for everything else
Attackers go after whoever is easiest — and in health, that's often aged care facilities running on minimal IT, older systems, and staff who weren't hired for cybersecurity. But the same weakest-link dynamic plays out in every GP practice and PHO: one shared login, one unpatched laptop, one after-hours remote-access point. Attackers know which ones are easy, and they share the list.
One shared clinician login, five staff using it, and an audit trail that can't prove anything
It works fine on a Tuesday. On the Tuesday afterwards, when a patient queries why their record was accessed on a night no one was in, the audit log says 'the reception login did it' — and no one can prove otherwise. With the new Privacy Act notification rule (IPP 3A) effective 1 May 2026, that's a gap the regulator will notice.
Standards That Apply
The evidence that ends the questionnaire loop
Common obligations and buyer expectations
Relevant Services
First month: baseline, ownership, and one piece of evidence
The first move: a patient-data access map, a tested breach-notification response, and one piece of evidence for the next HIPC or DHB-subcontractor review
Stop searching ten systems every time a customer asks for their data
Map where personal information enters your business, where it goes, and who is responsible before privacy obligations or customer questions catch you out.
Catch privacy risk before the project launches
Work out whether a project creates privacy risk before launch, with clear decisions, mitigations, and evidence you can stand behind.
Know Who Gets Told, When, And What, The Moment A Breach Hits
Get the business ready to respond to a privacy breach with a practical plan, decision guide, and rehearsal before the real call comes in.
Run The First Hour Of An Incident Without Winging It
Give the team a usable response plan for the incidents most likely to hurt the business, before the first real incident hits.
Stop Maintaining Policies Nobody Actually Reads
Put the policies the business actually needs in place, keep them current, and stop policy work turning into an annual scramble.
Stop Guessing When A Buyer Asks How Secure You Are
See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.
Questions We Hear
The questions every discovery call opens with
We're a small practice — can we really afford security support? +
Healthcare data breaches are the most expensive of any industry — averaging $9.77 million globally. NZ has had four major healthcare breaches in five years: Waikato DHB ($16.5M insurance claim), Mercury IT (14,500 coronial files compromised), ManageMyHealth (127,000+ patient records), and MediMap (patient records altered in 60% of aged care facilities). Support starts from $1,750 a month — less than the cost of a single privacy complaint investigation.
Our IT provider already manages our security — why do we need this? +
Your IT provider manages your systems and network, and they do that well. But HIPC compliance, Privacy Act breach notification, patient data handling, clinical system risk assessment, and Privacy Commissioner readiness are not IT tasks. Your IT provider doesn't write your privacy policy or run your breach response plan.
We haven't had a patient data breach — why act now? +
NZ healthcare has been hit by four major breaches in five years — Waikato DHB, Mercury IT, ManageMyHealth, and MediMap. Privacy complaints jumped 21% last year, with health consistently among the top sectors for serious breach notifications. With the new Privacy Act notification rule (IPP 3A) taking effect on 1 May 2026, every referral and lab result that enters your system without proper notification processes is a gap. The question isn't whether an incident will happen — it's whether you'll be ready when it does.
How does this help with Health Information Privacy Code compliance? +
Our work maps directly to HIPC — from patient data inventory and privacy impact assessments through to breach readiness and incident response plans. We identify the gaps against the Code and build a clear improvement plan you can demonstrate to the Privacy Commissioner if needed.
What Usually Happens Next
Get patient-data oversight in place before the next notification is yours
If a Privacy Code question, an aged-care audit, or a near-miss is already on the month's schedule, we'll help you sort what gets written down and owned first — without pulling clinical staff away from patients to draft policies.