Newsletter

"How Simeon Brown’s Government Abandoned 126,000 Patients to Learn About Their Stolen Health Data From Social Media" - 5 January 2025

“We Found Out Through Reddit"

Ivor Jones The Māori Green Ltn

05 Jan 2026 — 19 min read

Koha / Support This Mahi

This is the third in-depth investigative piece in this series. Each requires extensive research, verification of sources, and the courage to name names when power demands silence.

Three pathways exist for those who wish to support this mahi:

For those who wish to support directly with a koha (voluntary contribution):
Koha—Support The Māori Green Lantern
For those who wish to receive essays directly and support through subscription:
Subscribe to The Māori Green Lantern on Substack
For those who prefer direct bank transfer:
HTDM, account number 03-1546-0415173-000

Every koha signals that whānau are ready to fund the accountability that Crown and corporate structures will not provide. It signals that rangatiratanga includes the power to fund our own truth tellers.

Kia kaha, whānau. Stay vigilant. Stay connected. And if you are able, consider a koha to ensure this voice continues.

The Information Vacuum: Five Days And Counting

As I documented in Part 1 and Part 2, Simeon Brown presided over the largest health data breach in New Zealand history while claiming it had “no clinical impact.” 126,000 people’s most intimate health records—HIV status, mental health diagnoses, reproductive histories, genetic test results—were stolen by the Kazu ransomware group.

But the catastrophic breach itself is only half the story.

The other half is how those 126,000 people found out their data had been stolen.

The answer:

Many didn’t find out from ManageMyHealth, their GPs, or Health NZ. They found out from Reddit.

Five days after the breach was discovered, RNZ reported that ManageMyHealth had finally identified which GP practices had affected patients. But Health NZ national director Jason Power confirmed:

“We expect MMH to share the timeframe for notifications by Tuesday.”

Tuesday. Six days after the breach. Six days after 126,000 people’s lives were placed at risk. Six days after criminals posted their stolen health data on the dark web with a ransom deadline of January 15.

And even that Tuesday deadline? Just a “timeframe for notifications”—not the notifications themselves.

Health NZ acting national director Jason Power stated:

“ManageMyHealth has advised that individual patients will be notified.” But when? How? Through what channels? Power provided no answers. Just vague assurances that ManageMyHealth would “meet the highest standards around system security, transparency, and communication with users.”

Five days later, those standards remain invisible.

“I Found Out Through Reddit”: The Privacy Act Violation

Under the Privacy Act 2020, organizations experiencing data breaches must notify affected individuals as soon as practicable when the breach causes or is likely to cause serious harm. Health data breaches—especially involving 126,000 people’s HIV status, mental health records, and genetic information—objectively meet this threshold.

Yet ManageMyHealth’s communication strategy has been: silence first, vague promises later, actual notifications never.

One Reddit user wrote:

“I’m puzzled as to why I’m learning about this breach through online sources instead of receiving a direct notification from ManageMyHealth, which is required by the Privacy Act 2020. A notice on their website simply isn’t sufficient; an email would have been the appropriate way to communicate this information.”

Another said:

“I haven’t received any updates from MMH or my doctor, or anyone else for that matter. I’m finding out all this information solely through Reddit, which is incredibly frustrating.“

A third:

“Why did I learn about this through social media or news outlets? I completely understand the annoyance this brings.”

This is not a communication failure. This is systematic abandonment. This is a company prioritizing legal liability management over patient safety. And Simeon Brown—the Health Minister responsible for overseeing health IT vendors—has said nothing to demand better.

The GP Nightmare: Doctors Found Out Through Media Reports

It’s not just patients who were left in the dark. GPs—the very medical professionals whose patients’ data was stolen—learned about the breach from media reports.

College of GPs president Dr Luke Bradford told RNZ:

“I only learned about the potential breach through the media. It’s terribly disappointing. They’re an absolutely key tool that we use for patients. It allows patients to access their records and better manage their health, literally. But if their data’s not safe, then their very personal information is not safe, and that’s really concerning.”

He continued:

“We’re going into this period without any formal communication about what’s involved in the breach and what can be done about it.“ This was said four days into a major health data breach, during a holiday period when most GP practices were closed.

General Practice NZ chair Dr Bryan Betty agreed:

“Health data in terms of patients is incredibly important, and any breach like this has to be taken extremely seriously and has to be actioned as a matter of urgency. There should be obviously free and open transparency about the situation and what’s actually happened, both for patients and practices that use the ManageMyHealth portal.“

But there was no transparency. There was information containment. ManageMyHealth’s communication strategy prioritized minimizing corporate liability over protecting the 126,000 people whose lives are now at risk.

The Government’s Complicity: Brown’s Hollow “Concern”

Where was Simeon Brown while 126,000 New Zealanders were learning about their stolen health data from social media?

Issuing statements. Expressing “concern.” Claiming “no clinical impact.” And doing absolutely nothing to demand ManageMyHealth immediately notify affected patients.

Brown stated:

“This is a concerning breach of patient data and Health NZ is working closely with ManageMyHealth to ensure it is being appropriately addressed.”

But what does “appropriately addressed” mean when patients are finding out through Reddit five days later? What does it mean when GPs—the frontline healthcare providers responsible for their patients’ wellbeing—are learning about the breach from news reports?

Brown added:

“At this stage, there is no evidence any Health NZ systems, including My Health Account, have been compromised as ManageMyHealth has separate systems.”

Translation: My hands are clean. This is a private company problem. Not my responsibility.

Except it IS his responsibility. As Health Minister, Brown is responsible for ensuring that private health IT vendors operating in New Zealand’s health ecosystem meet minimum standards for security, transparency, and patient communication. He is responsible for protecting New Zealanders’ health data. He is responsible for demanding accountability when 126,000 people are victimized.

And he has done none of those things.

The Privacy Commissioner’s Complicity: “Supporting” Inaction

Where is the Privacy Commissioner while 126,000 people wait for notification?

The Office of the Privacy Commissioner stated:

“Given the highly sensitive nature of health information, we will be working closely with them as they step through the complex process of notifying affected individuals. Our initial focus in this situation is to support [ManageMyHealth], and it is too early to anticipate what if any further action [the Office of the Privacy Commissioner] might take.“

“Too early to anticipate what if any further action.”

Five days after the breach. Five days after 126,000 people’s HIV status, mental health records, and genetic data were stolen. Five days after patients started learning about the breach through Reddit.

Too early.

This is regulatory capture in action. The Privacy Commissioner exists to protect citizens, not to support companies managing PR crises. Yet here we are: five days into the largest health data breach in New Zealand history, and the Privacy Commissioner’s primary role is “supporting” the company that failed to protect 126,000 people.

Labour Party health spokesperson Dr Ayesha Verrall got it right:

“ManageMyHealth users should have been contacted directly much sooner.”

Much sooner. Not six days later. Not “by Tuesday.” Immediately.

The 0800 Number That Doesn’t Exist

ManageMyHealth’s January 3 statement promised:

“We are establishing an 0800 number for concerned and impacted people.”

“Establishing.” Five days after the breach.

The company’s terms and conditions list an existing technical support number: 0800 664 123, available 9am-5pm Monday-Friday, excluding public holidays.

But there is no dedicated breach support line. No 24/7 crisis hotline. No immediate response mechanism for 126,000 people whose health data has been stolen and who face imminent identity theft, medical fraud, employment discrimination, and psychological trauma.

Just a promise to “establish” something. Eventually. When convenient.

NZ Herald reported that ManageMyHealth was “setting up a dedicated 0800 number and online helpdesk.”

Five days later, where is it?

The “Complex Process” Excuse: Bureaucratic Cowardice

ManageMyHealth’s excuse for the delayed notifications?

The company stated:

“We expect to start notifying those affected following confirmation of forensics and liaison with PHOs and GPs to ensure that individuals are getting the right information, in line with Privacy Act requirements, and are properly supported.“

This sounds reasonable until you realize: It’s been five days.

Five days is more than enough time to:

Send mass emails to all 126,000 potentially affected users with preliminary breach notification
Provide clear guidance on immediate protective actions (credit monitoring, identity theft alerts, healthcare fraud monitoring)
Establish a functional 0800 hotline with trained crisis support staff
Coordinate with GPs to prepare for patient inquiries

But none of this happened. Why? Because ManageMyHealth’s priority is not patient protection. It’s liability management.

One Reddit user nailed it:

“Their communication approach emphasizes both managing the situation and confirming which users have been impacted, along with providing updates to the public. It’s worth noting that the concept of ‘containment’ doesn’t inherently prevent them from offering guidance to users. However, doing so might require hiring additional staff beyond the few currently assigned to this task. After all, they might not want to significantly reduce Vino’s vacation budget.“

Savage. Accurate. And utterly damning.

One of the most enraging aspects of this breach is that many patients never consented to having their data stored on ManageMyHealth.

One Reddit user wrote:

“The clinic actually uploaded my information into this system without my permission. When I initially registered to schedule an appointment, I noticed that my medical records were already present in the database.”

Another said:

“Our clinics made us adopt this system, and now we’re facing these issues?!“

This is forced exposure. Patients had no choice. They wanted to see their GP. Their GP used ManageMyHealth. Their data was uploaded—without explicit consent, without adequate security, without protection.

And now? 126,000 people are learning through Reddit that their most intimate health secrets have been stolen.

This is not informed consent. This is coerced vulnerability.

The Class Divide: Who Gets Protected, Who Gets Abandoned

Here’s the uncomfortable truth about this breach: Not all 1.8 million ManageMyHealth users are equally at risk.

The breach affected “6-7% of registered users”—approximately 126,000 people. But ManageMyHealth has not disclosed which GP practices were affected. It has not disclosed which geographic regions. It has not disclosed which demographic groups.

This creates a two-tier information system:

Tier 1: Patients whose GPs have been privately notified and who can proactively reach out for support
Tier 2: Patients learning through Reddit, media reports, and social media that their data “might” have been stolen

Guess which tier is disproportionately Māori, Pasifika, low-income, rural, and already-marginalized?

Guess which tier has less access to credit monitoring services, identity theft protection, and legal support when their health data is weaponized against them?

This breach doesn’t just expose health data. It exposes structural inequity in who gets protected and who gets abandoned.

The Ransom Deadline: January 15

While Simeon Brown issues statements and ManageMyHealth “establishes” helplines, the Kazu ransomware group has set a deadline: January 15.

If the $60,000 ransom isn’t paid by then, the group will publicly release all stolen data. That means 126,000 people’s health records—currently on the dark web and accessible only to criminals willing to pay—will become freely available to anyone.

Identity thieves. Stalkers. Abusive ex-partners. Employers. Insurance companies. Immigration authorities. Everyone.

One Reddit user described the consequences: “It will reflect extremely poorly on MMH if they fail to inform those who were directly impacted by the breach before it becomes public knowledge. This situation poses a significant crisis for the healthcare industry and is likely the most sensitive data breach in the nation’s history, second only to the Latitude credit card incident.”

January 15 is ten days away. And 126,000 people still haven’t been formally notified that their data was stolen.

What This Means: The Four Dimensions Of Harm

Simeon Brown claims this breach has “no clinical impact.” Let’s be explicit about what “no clinical impact” looks like for the 126,000 affected people:

1. Identity Theft & Financial Fraud

Stolen health records contain: full names, dates of birth, addresses, National Health Index numbers, and health provider identifiers. This is everything needed for identity theft. Criminals can:

Open credit accounts
File fraudulent tax returns
Claim benefits using stolen identities
Access banking and financial services

2. Medical Fraud & Insurance Discrimination

Stolen health records allow criminals to:

File fraudulent insurance claims under victims’ names
Obtain prescription medications
Access medical services
Manipulate health records for blackmail

Insurance companies and employers who obtain leaked data can:

Deny coverage based on pre-existing conditions
Increase premiums based on health status
Discriminate in hiring based on mental health or HIV status

3. Targeted Harassment & Abuse

Abusive ex-partners, stalkers, and predators can use stolen health data to:

Locate victims via GP practice information
Weaponize mental health diagnoses or addiction treatment history
Blackmail victims over HIV status or reproductive history
Harass victims with intimate health knowledge

4. Psychological Trauma & Healthcare Avoidance

Knowing your most intimate health secrets have been stolen causes:

Anxiety and hypervigilance
Loss of trust in healthcare system
Avoidance of healthcare (the actual clinical impact Brown denies)
Trauma responses similar to sexual violation

This is not “no clinical impact.” This is life-altering harm.

Simeon Brown’s Pattern: Minimize, Deflect, Abandon

Let’s connect the dots across this entire series:

Part 1: Brown, an anti-abortion crusader with zero health qualifications, claims 126,000 stolen health records have “no clinical impact” while protecting ManageMyHealth from accountability.

Part 2: Brown cut 1,120 IT experts from Health NZ (47% of workforce), cancelled 136 security projects, and ignored warnings that created the conditions for this breach.

Part 3: Brown allows 126,000 people to find out their health data was stolen through Reddit while issuing meaningless statements about “concern.”

The pattern is clear:

Ideology over evidence: Anti-abortion crusader runs health system
Contractors over expertise: $72M to consultants while firing IT staff
Corporations over patients: Protects ManageMyHealth, abandons 126,000 victims
PR over accountability: “Concern” without action

This is not governance. This is systematic abandonment dressed as fiscal responsibility.

What Must Happen: Eight Immediate Demands

1. Immediate Universal Notification

ManageMyHealth must send emails and text messages to all 1.8 million registered users today. Not just the 126,000 affected—everyone. Because uncertainty itself is harm.

2. Functional 24/7 Crisis Hotline

Not “establishing” one. Operating one. With trained crisis counselors, identity theft specialists, and healthcare advocates. Today.

3. Free Credit Monitoring & Identity Theft Protection

ManageMyHealth must fund three years of credit monitoring and identity theft protection for all 126,000 affected users. Not optional. Mandatory.

4. Privacy Commissioner Investigation

The Privacy Commissioner must immediately investigate whether ManageMyHealth violated the Privacy Act 2020 by failing to notify affected individuals “as soon as practicable.”

5. Health NZ Must Audit All Private Health IT Vendors

Jason Power’s “we expect MMH to meet the highest standards” is insufficient. Audit them. Now. Every private vendor handling health data.

6. Simeon Brown Must Resign Or Be Sacked

A Health Minister who:

Cut 47% of IT staff
Cancelled 136 security projects
Allowed 126,000 people to find out through Reddit
Claims “no clinical impact”

...has disqualified himself from holding this portfolio.

7. Criminal Investigation Into Negligence

Did ManageMyHealth’s delayed notification constitute criminal negligence under the Privacy Act? The Police must investigate.

8. Mandatory Breach Notification Standards

New Zealand needs binding regulations requiring health data breaches to be notified to affected individuals within 24 hours. No exceptions.

The Cruelty Is The Point

Five days after the largest health data breach in New Zealand history, 126,000 people are still learning about their stolen HIV status, mental health diagnoses, and reproductive records through Reddit posts and media reports.

Five days after GPs found out through news articles.

Five days after Simeon Brown claimed “no clinical impact.”

Five days after the Privacy Commissioner prioritized “supporting” ManageMyHealth over protecting citizens.

This is not incompetence. This is policy.

The cruelty is the point. The abandonment is the point. The message is the point: You are on your own. The government will not protect you. Private companies will prioritize liability over your safety. And when your most intimate secrets are stolen and weaponized, you will find out through a Reddit post.

Whānau, this is the third part of my investigation into the ManageMyHealth breach and Simeon Brown’s catastrophic failures as Health Minister:

Part 1: How Simeon Brown’s Ideology and Incompetence Enabled the Largest Health Data Breach in NZ History
Part 2: The Ticking Time Bomb — How Simeon Brown Gutted Our Digital Defences
Part 3: “We Found Out Through Reddit” — How Brown’s Government Abandoned 126,000 Patients

Together, they reveal a complete picture of state-sanctioned negligence, corporate liability management prioritized over patient safety, and systematic abandonment of the most vulnerable.

We deserve better. We demand better. And we will not stop until Simeon Brown is removed and our health system is protected.

Kia kaha. Kia mataara. Kia tūtaki.

Ivor Jones The Māori Green Lantern Fighting Misinformation And Disinformation From The Far Right

Research date: 2-4 January 2026. All citations verified and URLs tested. This essay draws on 100+ verified sources including RNZ reporting, Reddit user testimony, ManageMyHealth statements, Health NZ communications, Privacy Commissioner statements, and Privacy Act 2020 provisions. Part 3 of the ManageMyHealth breach investigation series.

"THE SULU AND THE SWORD: How Christopher Luxon Wore Our Pacific Family's Dignity Like a Costume While His Budget Burned Their Villages to the Waterline" - 23 March 2026

"HE PĀTIKI KEI RARO I TE REPO — The Flounder in the Mud: How Damien Grant's Selective Conscience Exposes the Rotting Heart of Pākehā Media Power" - 22 March 2026

"THE CROWN'S DIGITAL TOHU: How a Rogue Neoliberal Government Sold the Whakapapa of a Nation to the Highest Unvetted Bidder" - 22 March 2026

"THE TONGUE THAT FEEDS THE BEAST: How a Neoliberal Vichy Government Handed Aotearoa's Mana to a War Machine Built on Lies - And Joe Kent Broke Them" - 22 March 2025