Healthcare Is a High-Value Target — And the Numbers Prove It
The short version: Healthcare is the most expensive sector for data breaches globally (USD $10.93M average), and the HIPC demands governance your MSP was never hired to deliver. IPP 3A takes effect on 1 May 2026 — weeks away — and every unnotified referral and lab result becomes a compliance gap overnight. A structured governance review takes weeks, not months. Book a free consultation before the deadline. Read on for the full breakdown.
Healthcare data is among the most valuable information a cyber attacker can steal. Unlike a compromised credit card number, which can be cancelled and reissued within hours, health information is permanent. A patient's diagnosis history, mental health records, genetic data, and treatment plans cannot be revoked or replaced. This permanence makes health data extraordinarily valuable on criminal marketplaces and extraordinarily damaging when exposed.
The global figures are stark. The average cost of a healthcare data breach reached USD $10.93 million in 2024, making healthcare the most expensive sector for data breaches for the fourteenth consecutive year (IBM Cost of a Data Breach Report 2024). Industry research indicates that 73% of ANZ healthcare organisations experienced a cyber incident in the most recent reporting period (industry research). In New Zealand specifically, 11.1% of all privacy breaches reported to the Office of the Privacy Commissioner (OPC) come from the health sector (OPC/industry data), a disproportionate share given the size of the sector relative to the broader economy.
These numbers are not abstract. In May 2021, the Waikato District Health Board was hit by a Zeppelin ransomware attack that took its systems offline for approximately six months. Phone lines went down, surgeries were cancelled, and patient data — including clinical records — was leaked on the dark web. The insurance claim reached NZD $16.5 million and exceeded the policy limit. The DHB's cyber insurance premium subsequently jumped from $400,000 to $1.3 million per year — a 225% increase (Reseller News; Te Whatu Ora Incident Report). In early 2025, the ManageMyHealth patient portal — used by over 127,000 New Zealanders to access their health records — was breached by a group demanding NZD $60,000 in ransom within 48 hours, threatening to release patient data publicly (Cyber Daily, 2025). These are not hypothetical scenarios for healthcare. They are the operating reality.
The Health Information Privacy Code 2020 (HIPC) exists precisely because health information demands a higher standard of protection than ordinary personal information. And that higher standard extends well beyond what your managed service provider was hired to deliver.
What the HIPC Actually Requires
The Health Information Privacy Code 2020 came into force on 1 December 2020, replacing the original 1994 code (OPC). It applies to health information about identifiable individuals that is collected, used, held, and disclosed by health agencies (OPC). This is a broad scope. It covers general practices, specialist clinics, physiotherapists, dentists, pharmacies, mental health providers, aged care facilities, and any other agency that handles health information as defined under the code.
Rule 5 of the HIPC requires that health agencies take "reasonable security safeguards" to protect health information against loss, unauthorised access, use, modification, disclosure, and other misuse (HIPC 2020). The standard of reasonableness is not fixed. It scales with the risk level and severity of potential consequences (HIPC 2020). For a mental health provider holding detailed clinical notes about vulnerable patients, the standard of "reasonable" is substantially higher than for a business holding customer email addresses. This sliding scale is critical because it means that a healthcare provider cannot point to generic security controls and claim compliance. The safeguards must be proportionate to the sensitivity and volume of health information held.
Beyond Rule 5, the HIPC incorporates the full framework of the Privacy Act 2020, including the mandatory breach notification regime. If a privacy breach involving health information is likely to cause serious harm to affected individuals, the health agency must notify both the OPC and the affected individuals (Privacy Act 2020). In a healthcare context, almost any breach involving clinical records, diagnoses, or treatment information carries a high likelihood of meeting the serious harm threshold, given the sensitivity of the information involved.
The HIPC also imposes specific obligations around collection limitation, purpose limitation, retention, access, and correction of health information. These are not aspirational principles. They are enforceable legal requirements that the OPC actively investigates when complaints are lodged or breaches are reported.
What Your MSP Does Well
Before examining the gaps, it is important to acknowledge the genuine value that a competent managed service provider delivers. A good MSP is an essential part of your operational infrastructure, and nothing in this article should be read as a suggestion to replace your MSP. The point is that MSPs and privacy governance serve different functions, and treating one as a substitute for the other creates dangerous blind spots.
Your MSP typically handles infrastructure management, including server maintenance, network configuration, and uptime monitoring. They manage endpoint protection, ensuring that antivirus software is deployed and updated across your workstations. They handle patching and updates, applying security patches to operating systems and applications on a regular cycle. Many MSPs provide backup and disaster recovery services, ensuring that your data can be restored following hardware failure or ransomware. They often run a helpdesk that handles day-to-day IT support requests from your staff. Some MSPs also provide basic security monitoring, alerting you to suspicious activity on your network.
These are all valuable, necessary services. A healthcare practice without reliable IT infrastructure, current patches, and functioning backups is exposed to operational risk that no amount of governance documentation can mitigate. Your MSP addresses the technical foundation, and that foundation matters.
The problem is not what your MSP does. The problem is what your MSP does not do, and what you may be assuming they cover.
What Your MSP Does Not Do
The gap between MSP service delivery and HIPC compliance is not a gap in competence. It is a gap in scope. MSPs are IT infrastructure providers. The HIPC requires privacy governance. These are fundamentally different disciplines, and conflating them leaves healthcare providers exposed in six critical areas.
Personal data inventory. Rule 5 of the HIPC requires reasonable security safeguards, and you cannot safeguard information you have not identified. A personal data inventory is a structured register of what health information your practice collects, where it is stored, who has access to it, how it flows between systems, and how long it is retained. Your MSP knows what servers and applications you run. They do not know what categories of health information reside in each system, which data flows involve patient identifiers, or whether your retention practices align with HIPC requirements. Building and maintaining a personal data inventory requires privacy expertise, not infrastructure expertise.
Privacy impact assessments. When you adopt a new practice management system, connect to a health information exchange, implement a patient portal, or change how you share data with referral partners, the HIPC expects you to assess the privacy implications before proceeding. A privacy impact assessment (PIA) evaluates the risks to patient privacy, identifies safeguards to mitigate those risks, and documents the analysis. Your MSP may help you migrate to a new system or configure a new integration. They do not assess whether that system or integration creates new privacy risks, changes your data flows in ways that affect compliance, or requires updated patient notifications.
Breach readiness planning. The Privacy Act 2020 requires notification to the OPC and affected individuals when a breach is likely to cause serious harm. In healthcare, the threshold for "serious harm" is almost always met when clinical information is involved. Breach readiness planning involves developing documented response procedures, defining roles and responsibilities, establishing assessment criteria for determining whether notification is required, preparing template notifications, and rehearsing the response through practice run exercises. Your MSP may detect a security incident on your network. They do not determine whether that incident constitutes a notifiable privacy breach under the HIPC, assess the likelihood of serious harm to patients, draft notifications to the OPC, or manage communications with affected individuals.
Governance and compliance reporting. The HIPC does not operate in isolation. Healthcare providers must demonstrate ongoing compliance through documented policies, procedures, risk assessments, and audit trails. Governance reporting involves tracking compliance status across the Information Privacy Principles, documenting how security safeguards are maintained and reviewed, and providing evidence of compliance to the OPC if an investigation occurs. Your MSP provides infrastructure reports — uptime statistics, patch compliance rates, backup success logs. They do not produce privacy governance reports, track your compliance status against the HIPC, or prepare the documentation the OPC expects to see during an investigation.
Staff privacy training. Human error is the leading cause of privacy breaches in healthcare. A receptionist who discloses appointment details to the wrong family member, a clinician who sends a referral letter to an incorrect email address, or a staff member who accesses patient records without a legitimate purpose — these are all privacy breaches that no firewall or antivirus product can prevent. The HIPC requires reasonable safeguards, and staff training is a fundamental component of reasonableness. Your MSP may provide basic cybersecurity awareness training covering phishing and password hygiene. They do not deliver training on the HIPC, Information Privacy Principles, patient consent requirements, or the specific privacy obligations that apply to health information.
Vendor risk assessment. Healthcare providers increasingly rely on third-party cloud services, practice management platforms, telehealth systems, and data analytics tools. Under section 11 of the Privacy Act 2020, if a third-party provider stores or processes data solely on your behalf, you remain fully responsible for that data. Your MSP may manage the technical relationship with your cloud providers. They do not assess whether those vendors meet the privacy and security requirements of the HIPC, evaluate their breach notification capabilities, review their data processing agreements for compliance, or monitor their ongoing risk status.
The Notification Obligation: What "Serious Harm" Means in Healthcare
The mandatory breach notification regime under the Privacy Act 2020 requires agencies to notify the OPC and affected individuals if a privacy breach is likely to cause "serious harm" to those individuals. In a healthcare context, the serious harm threshold is critically important because health information is inherently sensitive, and the consequences of its exposure are often severe and irreversible.
Consider the practical examples. A ransomware attack encrypts your practice management system. Even if the attackers did not exfiltrate data, you may not be able to confirm that they did not access patient records during the period of compromise. The uncertainty alone may be sufficient to trigger notification, because the potential consequences of health record exposure — discrimination, stigma, emotional distress, insurance implications — are serious by nature.
A staff member emails a patient's mental health records to the wrong general practitioner. The information has left your control and been received by an unintended recipient. The sensitivity of mental health records means that the likelihood of serious harm is high, even if the unintended recipient is a medical professional bound by their own confidentiality obligations.
A third-party telehealth platform you use experiences a data breach affecting patient consultation records. Under the Privacy Act 2020, you remain responsible for that data even though the breach occurred at the vendor's infrastructure. You must assess the breach, determine whether notification is required, and carry out notification if the threshold is met. Your MSP does not manage this process.
In each of these scenarios, the technical incident is only the beginning. The privacy assessment, notification decision, OPC reporting, patient communication, and corrective planning are all governance activities that sit outside the scope of managed IT services. Without a breach readiness plan and the expertise to execute it, healthcare providers are left improvising during the most high-pressure moment they will face.
IPP 3A Implications for Health Providers
Information Privacy Principle 3A takes effect on 1 May 2026 and introduces a new obligation that will affect virtually every healthcare provider in New Zealand. Under IPP 3A, when a health agency collects personal information about an individual from a source other than that individual, the agency must take reasonable steps to notify the individual of the collection (Privacy Act 2020, IPP 3A).
For healthcare, this is a significant change. Health providers routinely collect patient information from sources other than the patient: referral letters from other practitioners, laboratory results from testing facilities, imaging reports from radiology providers, dispensing records from pharmacies, discharge summaries from hospitals, and clinical correspondence from specialists. Until now, there has been no explicit obligation to notify the patient when information is collected from these third-party sources.
From 1 May 2026, healthcare providers will need to have systems and processes in place to identify when health information is collected from third-party sources and to notify the affected individual within a reasonable timeframe. The notification must include the fact that the information has been collected, the source of the information, and the purposes for which it will be used.
This is not a trivial operational change. A busy general practice that receives dozens of referral letters, lab results, and specialist reports each day will need a systematic process for identifying third-party collections and triggering notifications. A manual, ad-hoc approach will not scale, and failure to notify will constitute a breach of the Information Privacy Principles.
The intersection of IPP 3A with the HIPC creates a compounding obligation. Health information collected from third-party sources must not only trigger a notification to the individual but must also be incorporated into your personal data inventory, protected by reasonable security safeguards under Rule 5, and managed in accordance with the retention and purpose limitation principles.
Your MSP has no role in this process. They do not track what information enters your clinical systems from third-party sources, they do not generate patient notifications, and they do not update your data inventory when new collection pathways are established. IPP 3A compliance is a governance and operational design challenge, not an infrastructure challenge.
Health NZ's ongoing digital transformation is further increasing the attack surface and data complexity for the entire sector. As systems become more interconnected and data flows multiply across providers, platforms, and regions, the governance requirements under the HIPC and Privacy Act will only intensify. Providers who rely solely on infrastructure-level controls will find themselves increasingly exposed.
Frequently Asked Questions
Does the HIPC apply to my practice?
If your organisation collects, uses, holds, or discloses health information about identifiable individuals, the Health Information Privacy Code 2020 applies. This covers general practices, specialist clinics, physiotherapists, dentists, pharmacies, mental health providers, aged care facilities, and any other health agency as defined under the code.
Is my MSP responsible for our privacy compliance?
No. Under the Privacy Act 2020, you remain the agency responsible for personal information even when a third party (including your MSP) processes it on your behalf. Your MSP manages infrastructure. Privacy compliance — including data inventories, breach readiness, privacy impact assessments, and staff training — is your responsibility as the health agency.
What does IPP 3A mean for healthcare providers specifically?
From 1 May 2026, when you collect patient information from a source other than the patient — referral letters, lab results, specialist reports, discharge summaries — you will need to take reasonable steps to notify the patient. For busy practices receiving dozens of third-party records daily, this requires a systematic process, not ad-hoc handling.
Close the HIPC Governance Gap
Healthcare data breaches almost always meet the "serious harm" threshold under the Privacy Act — and the OPC does not wait for you to be ready. With IPP 3A taking effect on 1 May 2026, every referral, lab result, and specialist report that enters your system without patient notification is a compliance gap.
The good news: a structured HIPC governance review typically takes weeks, not months, and gives you a clear improvement path that works alongside your existing MSP relationship.
Book a free consultation — find out where your HIPC governance gaps are before a breach or a complaint finds them for you.