Back to Aon Insights

Manage My Health and MediMap: New Zealand’s cyber wake-up call

The recent breaches affecting Manage My Health and MediMap should serve as a clear wake-up call for New Zealand organisations, explains Duncan Morrison, Cyber Practice Leader, Aon New Zealand. 

While the headlines have largely focused on compromised patient data, there’s a deeper lesson Kiwi businesses need to address: many organisations remain underprepared for a cyber incident. Cyber risk is no longer a technical issue confined to the IT department. It’s a clear risk for New Zealand businesses, and that’s not changing anytime soon. 

 

A high-value target 

Healthcare platforms are particularly attractive to cyber criminals for a simple reason: the data is extremely valuable. Medical records contain rich personal information that can be used for identity theft, fraud and extortion. Unlike passwords or identification numbers, health information cannot easily be changed once exposed. 

Health systems also tend to be highly interconnected, often relying on multiple third-party platforms, legacy systems and complex user access environments. This creates a broad attack surface. In many cases, attackers do not need to breach the core provider directly; they can exploit vulnerabilities in the surrounding digital ecosystem. 

But it would be a mistake for other sectors to view this as a healthcare-only problem. The same structural risks - sensitive data, interconnected systems and third-party dependencies - exist across financial services, education, local government, SMEs and the private sector. 

Healthcare may be the canary in the coal mine, but the risk is there for all online Kiwi businesses. 


The real cost  

One of the most persistent misconceptions about cyber incidents is that the primary damage comes from the data breach itself. In reality, the downstream impacts often prove far more costly. 

In addition to the cost of disruption to the business, there are also legal and regulatory ramifications, not to mention the reputational damage and loss of trust that comes with it.  

For many businesses, the question is no longer whether a cyber incident will occur, but how well prepared they are to absorb and recover from it. 

Regional data underscores the scale of the challenge. According to Aon’s 2025 Global Cyber Risk Report, around one in five Asia-Pacific organisations report they have already lost income due to a cyber attack - higher than the global average. The report showed that cyber incident frequency in the region also increased 29% year-on-year and 134% over the past four years while cyber insurance claims rose a further 22% in 2024 compared with the prior year. 

The threat is not hypothetical. It is already hitting the bottom line. 


A worrying preparedness gap 

Despite the rising risk, many organisations still lack a clear, quantified understanding of their cyber exposure. 

According to Aon’s recent Global Risk Management Survey, across Asia-Pacific, only 14% of organisations quantify their exposure to top risks, including cyber. Fewer than two in ten organisations purchase cyber insurance - even though cyber is consistently ranked as a top risk. 

This gap between perceived readiness and actual resilience is one of the most concerning trends we are seeing. 

Too often, boards receive technical updates about patching, firewalls or phishing training but lack visibility of the potential financial loss from a major cyber event. Without that financial lens, cyber risk can be underestimated or deprioritised, ultimately not receiving the investment of both capital and time that they require. 
 

The growing third-party risk 

Another lesson from recent incidents is the increasing role of third-party and technology supply-chain exposure. 

Modern organisations rely on a web of software providers, cloud platforms, payment processors and data partners. Each connection creates potential exposure.  

Boards should be asking not only, “how secure are we?” but also “how secure is our ecosystem?” 

As digital interdependence grows, third-party risk is likely to become one of the defining cyber challenges of the next decade. 
 

What organisations should be doing  

The good news is, there are practical steps organisations can take immediately to strengthen their position:  

  • Quantify your cyber exposure in financial terms: Understanding the potential loss from a major incident changes the quality of risk conversations and investment decisions. 

  • Review your incident response and business continuity plans through a cyber lens: The key question is not whether systems can be breached, but how quickly the organisation can detect, contain and recover. 

  • Focus on third-party risk management: This includes clearer visibility of critical partners, stronger contractual protections and more rigorous due diligence. 

  • Reassess your risk transfer strategy: Cyber insurance isn’t a substitute for good security, but complimentary of overall cyber risk management strategy, playing an important role in financial resilience when incidents occur. 

  • Build a strong security culture: With social engineering and human-led attacks rising sharply, people remain both the first line of defence and a potential point of vulnerability. 


If there’s one thing we can be sure of, it’s that the recent health sector breaches won’t be the last. Organisations that respond decisively now will be far better positioned when, not if, the next incident occurs. 

Talk to Duncan today to find out more about ensuring your agribusiness is cyber risk resilient.

This opinion piece was originally published in The Post, The Press and the Sunday Star-Times print edition. 


Related articles 

Laying In Wait: What On-farm Cyber Crime Looks Like 

2026 Cyber Outlook: The Evolving Threats Demanding Strategic Leadership  
 
The True Consequences of Underinsurance of Your Business 

© 2024 Aon plc

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.