New Zealand experienced three cybersecurity incidents during the first quarter of 2026, according to the National Cyber Security Centre's quarterly report.
The three incidents reached C2 level on the Centre's six-category scale, meaning they involved known or likely impact on key sensitive data or disruption of essential services in nationally significant organisations. New Zealand had not recorded a C2-level attack for more than four years before the 2026 incidents.
In May 2026, the Privacy Commissioner found Health New Zealand and Manage My Health had inadequate security controls when attackers accessed the portal in December 2025. The breach, described as one of New Zealand's biggest cybersecurity incidents, resulted in the theft of hundreds of thousands of medical files from the privately owned patient portal.
Another patient portal, MediMap, detected unauthorised activity in February 2026, while private healthcare provider IntraCare, which offers image-guided precision medical diagnostics and interventions, suffered a breach in March 2026.
Patrick Sharp, general manager of Aura Information Security, said New Zealand is not ready for a C1 incident - a national cyber emergency that causes severe disruption to core services and may undermine economic or democratic stability. "We spend a lot of time thinking about how to avoid that sort of incident," Sharp said.
Sharp said most businesses struggle with governance, particularly making informed cybersecurity decisions. A Kordia survey, conducted by the company that owns Aura, found only 50% of boards had discussed cybersecurity.
50% of businesses with over 50 employees have not practised their incident response plans. "I can assure you if they haven't practised that plan, they are not ready for a major incident," Sharp said.