The time taken to detect and disclose cyber incidents, and how notification practices align with privacy and disclosure obligations. 
The separation between clinical and administrative systems, and whether different platforms and modules are segregated from a technology and contractual perspective. 
The influence of third-party technology providers and portals on the overall risk profile of hospitals, clinics, and general practices. 
The role of court orders and other legal measures alongside ongoing extortion attempts and potential data leakage.

For claims teams and brokers, these cases illustrate how cyber incidents can trigger multiple coverage questions across cyber, privacy liability, and possibly medical malpractice policies, including how forensic costs, notification expenses, legal response, and regulatory engagement are treated under policy wordings. As investigations, regulatory reviews, and any subsequent litigation develop, New Zealand insurers and intermediaries are expected to factor lessons from both incidents into underwriting decisions, risk assessments, and advice on cyber resilience and data governance for health sector clients.