It comes after two weeks of bad headlines for hacked patient data portal Manage My Health, and Monday's revelation oncology provider Canopy Health had been breached in mid-2025, but did not tell anyone for months.
Both services are privately owned. Nearly 2 million people are registered on Manage My Health, mostly via GP practices, while Canopy is the largest private medical oncology provider in the country. About 120,000 Manage My Health users' data was accessed by hackers, most of them based in Northland.
Callum McMenamin, a web standards consultant who has worked on government website security, told RNZ he called out Manage My Health's lax security six months ago.
"The really big problem is no one in the government is checking if these private companies are adhering to digital security standards. The government has created a health information security framework, its standards for health information security, but the government is not checking if those standards are being properly implemented within private companies like Manage My Health or any of the other patient portals that we use."
He said there should be an "enforceable standard" for providers, who should be penalised if they fail to meet it, else people will "lose trust in the digital health system".
"There needs to be some kind of approach where maybe private companies are just not allowed to supply digital health systems if they're not secure enough. Or maybe there should be fines, or maybe they should be asked to make immediate changes to their systems if any issues are found."
Whether a government-provided service was any less penetrable would depend on the level of security it offered, McMenamin said.
"What it really comes down to is standards - technical standards and how well they are monitored and enforced. So you could make the private sector very secure if those standards are properly implemented and if those standards are of very high quality.
"So I think we probably can have private companies in this sector, but they just need to be properly regulated."
"Some of the public comments from the chief executive of Manage My Health said that the hacker logged in with a valid user password - two-factor authentication is a system that could potentially stop those kinds of attacks from working," McMenamin said.
"So multi-factor authentication really needs to be mandatory across all accounts for it to be properly effective.
"I noticed that KFC where you order your chicken has mandatory two-factor authentication, but Manage My Health does not have it. So for some reason Colonel Sanders seems to be more secure than our digital health providers.
"[It is] pretty much every service uses it now - Facebook, Instagram, your Apple ID is probably protected by it as well, so it's just a ubiquitous technology because in the modern age, with all of the information that we upload online, two-factor authentication really is absolutely mandatory. It's just too risky not to."
Health providers were finger-lickin' good targets for hackers, he said, because the data can be used for extortion attempts.
"It does seem that many health organisations have very poor IT security controls in place, so they're very easy targets. They're just sitting ducks."
RNZ has contacted Health NZ and Manage My Health for a response to McMenamin's claims.
