A document library is not safe just because it sits inside a platform.
That is the main lesson from the ManageMyHealth data breach in New Zealand.
In late December 2025 and early January 2026, ManageMyHealth disclosed a cyber breach affecting its online patient portal. Reporting on the incident said roughly 120,000 to 127,000 people may have been affected, with hundreds of thousands of sensitive medical documents exposed or accessed.
The breach was reportedly linked to a document storage module rather than the core patient database. That detail matters.
A document module can sound secondary. It can sound like a storage area beside the real system. But in a health context, documents are not low-risk attachments. They may include referrals, discharge summaries, laboratory results, imaging reports, clinical correspondence, and patient-uploaded material.
Those records can contain some of the most sensitive information a person has.
This is not only a cybersecurity story. It is a document governance story.
Sensitive records need retention rules, access control, source ownership, audit trails, notification workflows, and a clear response route when something goes wrong.
If your team stores sensitive files, source material, reports, evidence packs, patient records, client documents, public submissions, HR records, or donor project data, the lesson is direct. A folder is not a governance system. If you need a safer route from document intake to storage, review, use and handover, start with a data collection and intake system, traceable evidence workflow support, or a data use, reporting and communication system.
Who this guide is for
This guide is for: Teams managing sensitive documents, internal knowledge bases, patient records, client files, donor evidence, research material, and document-heavy systems.
Key takeaways
- A document library is not safe just because it sits inside a platform.
- Sensitive files need ownership, retention rules, access control, audit trails and response workflows.
- Old or poorly classified documents can increase breach impact.
- AI knowledge bases need document governance before teams upload source material.
The current situation
The ManageMyHealth data breach was disclosed around the end of December 2025 and early January 2026.
ManageMyHealth is a patient portal used by general practices in New Zealand. The platform allows patients to access personal health information and supports functions such as appointments, prescriptions, messaging, and document access.
The breach reportedly involved unauthorised access to a specific document storage module. It was not reported as unauthorised access to New Zealand’s national clinical systems or the core patient database.
That distinction should not make the incident sound minor.
The affected material reportedly included sensitive health documents such as referrals, discharge summaries, laboratory results, imaging reports, clinical correspondence, and documents uploaded by patients.
Some reporting said more than 400,000 documents were involved. Some records reportedly dated back several years. Some affected information may have related to patients whose general practices no longer used ManageMyHealth.
The incident prompted urgent legal action, government review, regulatory scrutiny, warnings to patients, and concern from healthcare providers who had to respond to patient enquiries while information was still emerging.
That is the operational cost of weak document governance.
When sensitive documents are exposed, the organisation does not only have to fix the technical issue. It has to identify affected people, communicate clearly, support frontline teams, manage legal risk, deal with regulators, and rebuild trust.
What happened
The available reporting points to a breach involving unauthorised access to documents held in the ManageMyHealth platform.
The affected documents were not just system metadata. They were health records.
That matters because the privacy risk in health data is different from the privacy risk in ordinary account data.
A leaked email address is a problem. A leaked medical referral is a different kind of problem. A leaked laboratory result, imaging report, discharge summary, or clinical letter can expose information about diagnosis, treatment, family circumstances, mental health, sexual health, disability, violence, addiction, pregnancy, or other sensitive issues.
For affected people, the harm is not only identity theft. It can include anxiety, embarrassment, fear, discrimination, family risk, targeted scams, blackmail, or loss of trust in the health system.
The breach also created confusion for general practices. Reporting indicated that some practices struggled with unclear information about which patients were affected during the early response period.
That is a workflow failure as much as a communication problem.
When a breach happens, the organisation needs to know:
which documents were affected
which patients are linked to those documents
which practices uploaded or used them
which practices still have a relationship with those patients
which documents are old, inactive, archived, or no longer needed
who must be notified
what the notification should say
what advice frontline providers need
what legal or regulatory steps must happen
If that information cannot be retrieved quickly, the response becomes slower and less trusted.
The main point
The ManageMyHealth data breach shows that document storage is not the same as document governance.
A platform can hold documents. A database can store records. A folder can contain files. A portal can make documents available.
None of that means the organisation has a strong governance workflow.
A proper document governance workflow answers harder questions:
Why was this document collected?
Who owns it?
Who can access it?
How long should it be kept?
What system or practice is responsible for it?
Is the person still linked to the same provider?
Should old material still be available?
Is there an audit trail?
Can the organisation identify affected people quickly?
Can the organisation notify users clearly if something goes wrong?
This is why a sensitive document library cannot be treated as a passive storage area.
It is part of the organisation’s evidence and risk system.
That same principle applies to research documents, public submissions, donor reports, HR files, case studies, fieldwork notes, interview transcripts, AI knowledge bases, and internal client records.
If the document library is not governed, the risk sits quietly until something breaks.
Where the workflow failed
1. Sensitive documents were exposed through a document storage layer
The reported breach was linked to a document storage module rather than the core patient database.
That distinction is important because many organisations treat document libraries as less structured than databases.
Databases usually have fields, tables, permissions, logs, and known records. Document libraries often grow through uploads, folders, attachments, exports, scans, PDFs, letters, reports, and ad hoc files.
The risk is that the document library becomes a shadow evidence system.
It contains sensitive material, but it may not have the same quality of metadata, retention rules, access control, or review status as the structured database.
That is where document governance breaks down.
For any organisation holding sensitive files, the question is not only whether the file is stored. The question is whether the file has enough structure around it to be controlled.
That can include:
source ID
document owner
upload date
patient, participant, client, project, or case link
access level
retention period
review status
archive status
deletion or transfer rules
audit history
breach notification route
This is why a source register for an evidence-heavy report matters. It gives the team a structured record of what exists, where it came from, who owns it, and how it is being used.
2. Old records may have increased the risk
Reporting on the breach said some records dated back several years and that some affected information may have related to patients whose practices no longer used the platform.
This is a common governance problem.
Old records can feel harmless because they are no longer active. But sensitive data does not become low-risk just because it is old.
In some cases, older documents may be even harder to explain. Staff may have changed. Contracts may have ended. Practices may have moved to other systems. Patients may no longer know their records are still held there. The organisation may struggle to work out who owns the relationship with the affected person.
That creates response problems.
If old documents are retained without clear rules, the organisation may have to manage breach notifications for records that should have been archived, transferred, reviewed, or deleted earlier.
This is why retention rules matter.
A document governance workflow should define:
what must be kept
why it must be kept
who is responsible for it
how long it should be retained
when it should be archived
when it should be deleted
what legal or contractual rules apply
how the decision is recorded
Without that structure, document libraries become long-term risk stores.
3. Access control was not the only issue
Cybersecurity matters. Access control matters. Technical safeguards matter.
But they are not the whole governance system.
A health document library also needs operational control. Even if a platform fixes the technical vulnerability, the organisation still needs to know what was exposed, who was affected, which practices need information, what patients should be told, what support is needed, and how future risk will be reduced.
That is why the response workflow matters.
A breach response needs data structure. It needs a way to map affected documents to people, providers, dates, document types, sensitivity levels, notification groups, and support routes.
Without that mapping, communication becomes slow and unclear.
The lesson is not only “secure the system”. The lesson is “design the information environment so the organisation can respond when the system fails”.
That is the same reason data collection and intake systems need to include source IDs, status fields, routing rules, access rules, and review steps from the start.
4. Patients and practices needed clearer information during the response
In any breach, affected people want to know whether their information was involved.
Frontline providers also need clear information. They have to answer patient questions, calm anxiety, explain what is known, and advise people on practical next steps.
Reporting on the ManageMyHealth breach indicated that general practices received patient enquiries while still lacking clear information about which patients were affected.
That is a serious operational strain.
It shows why a breach response workflow must be designed before the breach happens.
The organisation should be able to produce:
affected-person lists
affected-practice lists
document-type summaries
notification batches
patient-facing guidance
provider-facing guidance
call centre scripts
incident updates
regulator reports
issue logs
escalation records
This is not only communications work. It is data work.
If the affected-record mapping is weak, the communication will also be weak.
For teams working with reports, evidence, submissions, or sensitive data, the same principle applies. A strong data use, reporting and communication system should make it easier to turn structured information into clear outputs for the people who need to act.
5. The breach created risk beyond the original platform
A health document breach does not stay inside the breached system.
Once sensitive material leaves the controlled environment, the risk spreads.
Affected people may face scams, phishing, impersonation, pressure, embarrassment, or fear that personal information could be shared further. Healthcare providers may face trust issues. Regulators may investigate. Lawyers may become involved. News coverage may amplify concern. Support teams may be overwhelmed.
This is why sensitive information must be treated differently from ordinary operational data.
A document containing health information is not just a file. It is a record about a person’s life.
The system around that file must reflect that.
What should have happened
No document system can remove every possible security risk. But a stronger governance workflow can reduce the chance that sensitive documents are over-retained, poorly mapped, hard to audit, or hard to respond to after a breach.
Sensitive document intake should have been structured
Every sensitive document should enter the system with enough metadata to manage it later.
That does not mean overcomplicating the portal. It means defining the minimum fields needed to control the record.
For a health document, that may include:
patient ID
practice ID
document type
source system
upload source
upload date
sensitivity category
access permissions
retention rule
review status
archive or deletion status
For research, public-sector, donor, or HR work, the equivalent might be participant ID, submission ID, source ID, project ID, consent status, confidentiality level, review status, and allowed-use notes.
This is the same logic behind how to prepare documents for AI retrieval. AI retrieval is safer and more useful when the document library has clean metadata, clear source boundaries, and defined use rules.
Retention rules should have been visible and enforceable
Sensitive document systems need retention rules that are easy to apply.
The organisation should know why a document is still being held, whether it is still needed, and what should happen when a provider relationship ends.
If a practice leaves a platform, there should be a documented process for:
identifying the documents linked to that practice
confirming legal and contractual retention obligations
transferring or archiving records where required
disabling unnecessary access
updating ownership records
recording decisions
notifying relevant parties where appropriate
Retention is not only a legal issue. It is a workflow issue.
If the workflow does not make retention visible, old documents stay in the system by default.
Access control should have matched sensitivity
Not all documents carry the same risk.
A system should distinguish between ordinary administrative material and highly sensitive health records. It should also distinguish between active files, archived files, restricted files, and records that require extra review before access.
Access control should not only ask whether a user can enter the system. It should ask whether that user should have access to that document, for that purpose, at that time.
For any sensitive workflow, access rules should be tied to roles, source ownership, purpose, and audit logs.
That principle applies to health records, HR files, interview transcripts, public submissions, donor reports, client records, safeguarding material, and confidential policy documents.
Audit trails should have supported fast breach mapping
When something goes wrong, the organisation needs to reconstruct what happened quickly.
That means audit trails should show:
which documents were accessed
when they were accessed
how they were accessed
which records or people they relate to
which practices or teams are connected
whether the documents were active or archived
what notifications were sent
what remediation steps were taken
Without this structure, breach response becomes slower, less clear, and more expensive.
The Source Traceability Risk Checker can help teams think through this problem in a non-health context: can the team trace outputs, claims, records, and decisions back to source material?
Response workflows should have been prepared before the incident
A breach response process should not be built during the breach.
The organisation should already have a response workflow covering:
incident logging
affected-record mapping
affected-person identification
provider or partner notification
user notification
regulator notification
public statements
support channels
escalation routes
legal review
remediation tracking
post-incident review
This does not only apply to health platforms.
Any organisation holding sensitive data should have a workflow for what happens when information is wrong, exposed, misused, lost, or questioned.
For evidence-heavy teams, that same structure can be adapted into issue logs, review trackers, correction notes, and handover records.
What this shows about weak data governance
The ManageMyHealth breach shows that weak data governance is often invisible until there is an incident.
Before a breach, a document library may look organised enough. The portal works. Users can log in. Files are uploaded. Records are available. The system seems to be doing its job.
After a breach, different questions appear.
Who owns the records? Why were they still there? Who had access? Which people are affected? Which organisations need to respond? Which documents are sensitive? Which records should have been archived? Which users need to be notified? Which regulator needs what information?
Those questions are not only cybersecurity questions. They are governance questions.
A strong document workflow does not only help people find files. It helps the organisation control, review, protect, use, and respond to the information it holds.
That is why a document library needs more than folders.
It needs structure.
How a stronger workflow could have reduced the risk
A stronger workflow would not guarantee that no cyber incident could ever happen.
That would be a false promise.
But a stronger workflow could reduce the chance that sensitive documents are poorly mapped, over-retained, difficult to audit, or hard to respond to after a breach.
A stronger workflow would include:
document intake rules
source IDs
patient, client, participant, practice, or project links
document-type categories
sensitivity flags
access roles
retention rules
archive and deletion processes
audit logs
breach-mapping fields
notification lists
incident response templates
review and sign-off records
The purpose is not to make the system heavier. The purpose is to make the system safer and easier to operate under pressure.
That same logic applies to research teams, public-sector projects, donor-funded contractors, NGOs, HR teams, and internal operations teams.
If your team holds sensitive source material but cannot quickly explain what exists, who owns it, who can access it, and how it is used, the risk is already there.
What this means for research, policy, donor reporting, and internal systems
The ManageMyHealth breach is about health documents, but the lesson applies to other information-heavy work.
A research team may hold interview transcripts, consent forms, field notes, case studies, and coded extracts.
A public-sector team may hold submissions, complaints, stakeholder comments, policy drafts, and review records.
A donor-funded programme may hold partner reports, beneficiary data, fieldwork photos, case stories, safeguarding notes, and monitoring records.
An HR team may hold staff requests, medical notes, disciplinary records, payroll files, and confidential correspondence.
A service business may hold client briefs, project files, contracts, invoices, passwords, and internal notes.
In all these cases, the issue is not only whether the documents are stored.
The issue is whether they are governed.
If sensitive material is being prepared for AI use, the risk becomes even sharper. An AI-ready knowledge environment for internal retrieval needs clear source boundaries, permissions, metadata, allowed-use rules, and review discipline before people start asking questions of the material.
If the source library is messy, AI can make the problem faster. It can retrieve the wrong document, summarise restricted material, or make it harder to see which source was used. That is why AI gives weak answers when source material is messy.
Where my work fits
My work helps teams move from messy information to structured systems, faster analysis, clearer reports, and better decisions.
In a sensitive document context, that can include:
source registers
document inventories
intake forms
access and review fields
data dictionaries
folder structures
source IDs
sensitivity flags
retention fields
review trackers
AI-ready document preparation
reporting workflows
handover notes
QA and issue logs
The goal is not to replace cybersecurity, legal, privacy, ethics, or clinical expertise.
The goal is to build the information workflow around the material so the team can see what exists, where it came from, who is responsible for it, how it is being used, and what needs review.
My Local Government White Paper evidence workflow case study shows how source material, claims, synthesis, drafting support, and review comments can stay connected.
The UNICEF Zambia child poverty evidence workflow shows how sensitive narrative material can be structured into a spreadsheet-first evidence workflow with quote-per-claim checks.
The UNICEF Palestine situation analysis case study shows how scattered qualitative material can be rebuilt into a retrieval, recommendation, and drafting workflow under deadline pressure.
Different sectors. Same principle.
The document library is only safe enough when the workflow around it can be checked.
FAQ
What was the ManageMyHealth data breach?
The ManageMyHealth data breach was a cybersecurity incident involving unauthorised access to documents in a New Zealand patient portal.
Reporting indicated that the incident affected roughly 120,000 to 127,000 people and involved hundreds of thousands of sensitive medical documents.
How many people were affected by the ManageMyHealth data breach?
Available reporting said roughly 120,000 to 127,000 people may have been affected.
The exact number should be checked against the latest official updates before publication or legal use, because breach investigations can change affected-person counts over time.
What kind of information was exposed in the ManageMyHealth breach?
Reporting said the affected material included medical documents such as referrals, discharge summaries, laboratory results, imaging reports, clinical correspondence, and documents uploaded by patients.
That makes the breach especially sensitive because health documents can contain deeply personal information.
Was the core patient database affected?
Available reporting said the unauthorised access was linked to a document storage module, not the core patient database or New Zealand national clinical systems.
That distinction matters, but it does not make the breach low-risk. A document storage module can still contain highly sensitive personal health information.
Why does the ManageMyHealth data breach matter?
It matters because health documents can affect a person’s privacy, safety, dignity, trust in healthcare providers, and exposure to scams or misuse.
The breach also shows that document storage needs governance, not only platform access.
What is document governance?
Document governance is the system for controlling how documents are collected, stored, accessed, reviewed, retained, archived, deleted, and used.
For sensitive documents, governance should include source IDs, ownership, permissions, retention rules, audit trails, sensitivity flags, and response workflows.
What is the workflow lesson from the ManageMyHealth breach?
The lesson is that a document library is not safe just because it sits inside a platform.
Sensitive records need clear intake rules, access control, retention rules, audit trails, affected-person mapping, notification workflows, and response plans.
How does this relate to AI knowledge bases?
AI knowledge bases often start with document libraries.
If the document library is messy, over-retained, poorly permissioned, or missing metadata, the AI layer can increase risk. It may retrieve restricted documents, summarise sensitive material, or make it harder to check which source was used.
Before building an AI knowledge base, teams should prepare the source library and run a proper AI knowledge base QA process.
What should a sensitive document workflow include?
A sensitive document workflow should include:
source IDs
document owner fields
access rules
sensitivity categories
retention rules
archive status
deletion or transfer logic
audit trails
review status
breach response fields
notification workflows
The exact structure depends on the organisation and legal context.
How can organisations reduce document breach risk?
They can reduce risk by mapping what documents they hold, limiting access, defining retention rules, keeping audit logs, reviewing old records, preparing breach response workflows, and making sensitive material easier to trace.
Cybersecurity is still needed. But cybersecurity works better when the information environment is already structured.
How does this relate to research and donor reporting?
Research and donor-reporting teams often hold sensitive source material such as interviews, case studies, field notes, beneficiary records, consent forms, partner reports, and programme evidence.
If those documents are not structured and governed properly, teams may struggle to protect them, use them responsibly, or respond if something goes wrong.
Who can help audit a sensitive document or evidence workflow?
I help teams audit and rebuild workflows that move from raw source material to structured evidence, reports, AI knowledge bases, public submissions analysis, dashboards, and decision support.
If your team needs to check whether its current document or evidence workflow can survive review, breach response, handover, or public scrutiny, contact me here.
A useful next step
If your team stores sensitive documents, reports, source material, public submissions, interview records, HR files, donor evidence, or AI-ready document libraries, ask three questions:
Can we quickly list what sensitive documents we hold and why?
Can we trace each document to its owner, source, access rules, and retention status?
Could we identify and notify affected people quickly if something went wrong?
If the answer is no, the issue is not only cybersecurity. It is data governance and workflow design.
Use the Source Traceability Risk Checker to test where the review trail may break. Use the Search and Review Time Savings Calculator to estimate the hidden cost of searching, checking, and reconstructing source material after the fact.
A weak document workflow can turn into a breach response problem, a trust problem, a legal risk, or an expensive correction exercise. If your team needs to check whether its document, evidence, AI, reporting, or data-use workflow is safe enough, get in touch. I can help audit the current process, identify the main risk points, and build a clearer route from source material to controlled use.
Sources used in this guide
These sources were used to ground the facts of the case. The workflow analysis is my own.
Used for factual background and source context.
Read sourceData Collection & Intake Systems
Collect useful, traceable data from the start through forms, fieldwork tools, public submission portals, partner reporting systems, calculators, and intake workflows.