The Ministry of Health has published the Terms of Reference for an independent review into the Manage My Health (MMH) cyber security incident, setting out what will be examined and what recommendations are expected.

Developed with the Government Chief Digital Officer and the National Cyber Security Centre, the review will look at how the incident occurred, how it was handled, and what changes are needed to better protect health information across the system.

The Ministry says the work will focus on improvements to prevent similar incidents. The review begins on 30 January 2026, with a final report due on 30 April 2026. The Ministry will not make public comment while the review is underway.

It said publishing the terms is intended to keep the health sector, portal users and other stakeholders informed about next steps. The Terms of Reference are available at “Ministry review into the Manage My Health data breach.” Manage My Health is a patient portal used by GP practices.