Cyber incidents are no longer abstract technical events, they directly affect people’s health, privacy, and trust.

The recent ManageMyHealth data breach has reignited two important public debates:

  1. Should ransoms be paid after a cyberattack?

  2. What exactly is a Court’s Cyber Injunction Order, and why does it matter?

This article aims to cut through the noise and explain both issues in practical, plain language.

 

What Happened — and Why It Matters

ManageMyHealth is a widely used digital health platform in New Zealand. When attackers accessed and exfiltrated sensitive health information, the incident moved beyond an IT problem into a national privacy and public trust issue.

Health data is among the most sensitive categories of personal information. Once exposed, it cannot be “reset” like a password. The harm is personal, long-lasting, and deeply human.

The Ransom Question: Legal, Moral, and Strategic Dimensions

One of the first questions people ask after a ransomware incident is:

“Why not just pay the ransom and make it go away?”

Is paying a ransom illegal?

In most jurisdictions, paying a ransom is not automatically illegal. However:

  • Payments may breach sanctions laws if the attacker is linked to sanctioned entities

  • Payments can expose organisations to regulatory, legal, and reputational consequences

But legality is not the whole story

There is a strong ethical and strategic argument against paying ransoms.

Paying a ransom:

  • Funds criminal enterprises

  • Encourages repeat attacks

  • Signals that essential services are “payable targets”

  • Does not guarantee data deletion or non-disclosure

This is why the New Zealand Government’s stance is both clear and commendable.

Health Minister Simeon Brown stated that the government has a long-standing position that ransoms should not be paid.

https://www.rnz.co.nz/news/national/583248/manage-my-health-data-breach-ransom-deadline-arrives

This position reflects global best practice:
Discouraging payment is about breaking the cybercrime business model, not punishing victims.

The Hard Truth About Ransomware Promises

Even when ransoms are paid:

  • Data is often still sold or leaked

  • Victims may be targeted again

  • Attackers face no accountability

In healthcare especially, paying ransoms risks setting a precedent where criminals exploit the moral pressure to “protect patients at any cost.”

The Second Confusion: What Is a Court’s Cyber Injunction Order?

Following the breach, a High Court injunction was granted to prevent the stolen data from being shared.

This raised another common question:

“What does a cyber injunction actually do?”

A cyber injunction explained simply

A Court Cyber Injunction Order is a legal directive that:

  • Prohibits the publication, distribution, or sharing of hacked or stolen data

  • Applies to any person or entity, including media platforms and unknown third parties

  • Is designed to prevent further harm, not undo the breach

In short, the court is saying:

“Even if this data exists, you are legally forbidden from spreading it.”

Why Courts Use Injunctions After Data Breaches

Injunctions are especially important when:

  • The data involves health, children, or vulnerable individuals

  • Ongoing dissemination would cause irreversible harm

  • Public interest lies in protecting victims, not amplifying the attack

While an injunction cannot erase stolen data, it:

  • Reduces secondary harm

  • Limits mass exposure

  • Creates legal consequences for further sharing

Anyone who breaches an injunction may face:

  • Contempt of court

  • Significant fines

  • Potential imprisonment

Cyber Injunctions Are About Harm Reduction

It’s important to understand that a cyber injunction:

  • Is not censorship

  • Is not about hiding the incident

  • Is not protecting the organisation’s reputation

It is about protecting individuals whose data has already been compromised.

From a cyber governance perspective, this is a people-first legal control.

Qantas Cyber Incident and Court Injunction order, read below 

https://australiancybersecuritymagazine.com.au/qantas-gains-interim-injunction-in-the-nsw-supreme-court/

A Bigger Lesson for Cyber Security Professionals

As security professionals, incidents like this remind us that our role goes beyond:

  • Controls

  • Audits

  • Certifications

Cyber security is fundamentally about:

  • Enabling trust

  • Protecting people

  • Supporting digital health and public services safely

Strong governance, incident readiness, and ethical decision-making matter just as much as technical controls.

Final Thoughts: Resilience Over Reaction

The ManageMyHealth incident highlights three critical truths:

  1. Paying ransoms may feel expedient, but it fuels long-term harm

  2. Court cyber injunctions exist to protect victims, not attackers

  3. Digital resilience requires leadership, ethics, and collaboration

Cyber resilience is not about reacting under pressure —
it’s about making principled decisions before a crisis forces your hand.

Trust is hard to build and easy to lose.
How we respond to cyber incidents defines not just our security posture, but our values.