Your patients trust you with their health. We make sure your IT never breaks that trust.
Running a healthcare practice means your focus belongs on your patients - not on slow computers, software outages, or wondering whether your patient data is secure. ITstuffed provides managed IT support built around practices like yours, delivered by engineers who understand what's at stake because they've worked in healthcare environments themselves.
15 minutes. No obligation. We'll tell you honestly if we're the right fit.
Sound familiar?
The IT problems healthcare practices can't afford to ignore
Systems that go down when you need them most
When your practice management software, appointment system, or patient records become inaccessible, your whole clinic stops. Every minute of downtime has a direct cost - in staff time, patient experience, and your reputation.
Patient data that's only as safe as your weakest vendor
In late 2024, NZ's largest patient portal exposed 120,000 records - not through a sophisticated attack, but through controls that simply weren't in place. Your patients' data passes through more third-party platforms than most practice owners realise. Knowing who's handling it - and how - matters.
A security incident can put your ACC contract at risk
For many counselling, physio, and allied health practices, ACC funding is the financial backbone of the business. A poorly handled data breach - one that raises questions about how patient information is protected - is exactly the kind of incident that invites scrutiny from funders.
IT support that doesn't understand your environment
Generic IT providers don't know what Medtech, Best Practice, or your clinical software is supposed to look like when it's working. Our engineers do. That context changes how fast problems get diagnosed and fixed.
Who's auditing the platforms your practice trusts?
Healthcare practices in NZ rely on a growing number of third-party software platforms - patient portals, booking systems, cloud storage, clinical records. Each one is a potential entry point. ITstuffed doesn't just secure your own systems. We help you understand and audit the vendors you depend on, so you're not relying on trust alone.
This is one of the most overlooked risks in healthcare IT - and one of the first things we look at.
Why ITstuffed
Engineers who know what it means when systems simply have to work
We're not a generic IT company that happens to serve a few medical clients. Healthcare is in our background. Our engineers have worked in hospitals, radiology departments, and emergency response settings - environments where a system failure isn't just an inconvenience, it's a patient safety issue. That history shapes how we work: proactively, precisely, and with zero tolerance for "we'll sort it tomorrow."
Daniel (Managing Director) holds formal IT qualifications and worked as a registered nurse and paramedic before founding ITstuffed.
David (Engineer) spent nearly 20 years maintaining radiation therapy systems at major NZ hospitals including Christchurch Hospital. Clients regularly request him by name.
John (Engineer) has 20 years in IT, including hands-on IT and admin roles at one of Europe's largest hospitals. He is an active volunteer with St John's Major Incident Support Team.
SMB1001 Gold Certified
ITstuffed holds SMB1001 Gold certification - a recognised cyber security framework that aligns directly with what NZ cyber insurers now require businesses to demonstrate. For healthcare practices handling sensitive patient data, this is the standard we hold ourselves to.
What we cover
Managed IT built around how healthcare practices actually operate
Proactive monitoring & support
We watch your systems around the clock and fix problems before they reach your staff or your patients. When something does go wrong, you reach a real engineer fast - not a call centre.
Cybersecurity & patient data protection
Multi-layered security including endpoint protection, email filtering, access controls, and staff awareness. We align your practice with NZ Privacy Act obligations and what your insurer expects to see.
Vendor & platform oversight
We help you understand the security posture of the third-party software your practice relies on - because your data doesn't stay within your four walls.
Fixed monthly pricing
No surprise invoices. One predictable monthly cost that covers your team, so you can plan ahead without an IT budget blowing out unexpectedly.
“Our organisation engaged IT Stuffed a bit over a year ago and we have been very happy with their services to date. We value them being a local small business and appreciate their friendly yet professional interactions. They do not fluster easily and that has a calming effect on people with IT challenges. When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Happy to recommend this service.”
Maggy Tai Rākena
What Our Clients Say
“IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.”
Zia Lilley
“Our medium sized business changed IT providers to IT Stuffed six months ago and the service has been excellent. We are making good progress to strengthening our IT infrastrucute and we have more confidence that our data and business security is improving.”
Demelza Pearey
“David was absolutely fantastic to deal with. We've just moved into a new office and he has made the whole process super smooth and I've had lot's of compliments from the team about his service (this never happens with IT people) so props to David and IT Stuffed.”
Ethan Gerrard
Case Study
“MFA wasn't enough - and their ACC contract was on the line.”
A Christchurch counselling practice had MFA in place when a staff member clicked a convincing phishing email and unwittingly handed an attacker a live session token - bypassing MFA entirely. The breach spread to multiple accounts before it was detected, triggering a mandatory Privacy Commissioner notification and urgent concern about their ACC contract.
ITstuffed was brought in during the incident, working alongside their cyber insurer, a forensics team, and legal counsel to contain the breach and protect client data. The forensics team found it highly unlikely that records were exfiltrated - a finding that shaped the outcome. The practice is now an active client, with the layered controls in place that would have stopped the attack entirely.
“They had MFA. They had good intentions. They still got breached - because one well-crafted email was all it took.”Read the full case study
Related reading
Why MFA Wasn't Enough to Stop a Healthcare Breach - A Real NZ StoryThe same incident explained in depth - including the technical mechanics of how a phishing site harvests session tokens to bypass MFA in real time.
Common questions
Things healthcare practices usually ask us
Do you support Medtech, Best Practice, and other clinical software?
Yes, with an important distinction. Clinical software platforms like Medtech, Best Practice, and Gensolve have their own support teams and SLAs. ITstuffed is not the software vendor, and we won't pretend to be experts inside those systems. What we do is act as your IT partner in those conversations. Clinics with support agreements get faster resolution when their IT provider can communicate directly with the software vendor on their behalf, translating the technical environment, providing context about the clinic's setup, and making sure the right information gets to the right people quickly. Most practices find that issues get resolved significantly faster when we're in the room, so to speak, than when a practice manager is trying to bridge two technical conversations alone. Think of it as translating between two different languages: yours and theirs. We make sure nothing gets lost.
What happens to our ACC contract if we have a data breach?
ACC expects its contracted providers to meet certain standards around the privacy and security of client information. A breach that is mishandled - or where basic security controls were clearly absent - can trigger a review of your provider status. This isn't a theoretical risk: the NZ Privacy Act now requires mandatory breach notification to the Privacy Commissioner in many cases, and that notification becomes part of a public record.
The best protection for your ACC contract is being able to demonstrate that you had appropriate controls in place and responded properly. That's exactly what ITstuffed helps you put in place - and document.
We already have MFA. Aren't we protected?
MFA is an important control, but it is not a complete solution on its own - and attackers know how to get around it. One increasingly common method is session token harvesting: a staff member receives a convincing phishing email, clicks a link, and enters their credentials on a fake login page. That page captures their live session token in real time, bypassing MFA entirely.
We have worked with a Christchurch healthcare practice where this happened. They had MFA in place. They still experienced a breach that spread to multiple accounts and triggered a Privacy Commissioner notification. Effective protection requires layered security - email filtering to stop the phishing email reaching the inbox, DNS filtering to block the malicious site even if clicked, endpoint detection to catch unusual behaviour, and identity threat monitoring to flag anomalous logins. MFA is one layer. It shouldn't be the only one.
What does the NZ Privacy Act require healthcare practices to do about data security?
Under the Privacy Act 2020, organisations that hold personal information - including health information - must take reasonable steps to protect it from unauthorised access, use, or disclosure. Healthcare information is treated as particularly sensitive. If a breach occurs that has caused, or is likely to cause, serious harm, you are legally required to notify both the affected individuals and the Privacy Commissioner. Failing to notify when required is a breach of the Act in itself.
Beyond the legal minimum, good practice means knowing what data you hold, where it lives, who can access it, and what your response plan looks like if something goes wrong. If you are unsure whether your current setup meets these obligations, an IT Fit Check is a good place to start.
How quickly can you respond if something goes wrong?
We have formal SLAs in place for all managed services clients. Every support request is logged, triaged on receipt, and assigned a priority. Response times are guaranteed based on that priority: Critical (systems down, active security incident) 1 hour; High (significant impact on operations) 2 hours; Normal (single user affected, workaround available) 4 hours; Low (general queries, minor issues) 8 hours. In practice, most urgent calls are picked up within 15 minutes. Critical issues are not sitting in a queue. They are flagged immediately and handled first. You will always know the status of your request.
Our Partners
We work closely with best-in-class technology partners to deliver comprehensive managed IT and cybersecurity services to our clients.
Ready to take IT off your plate?
Book a free 15-minute IT Fit Check. We'll look at your current setup, identify any obvious risks or gaps, and give you an honest answer about whether we're the right fit for your practice. No hard sell. No jargon. Just a straight conversation between people who understand healthcare - and what's at stake if your IT lets you down.
For ACC-dependent practices, getting this right isn't optional. We can help you understand exactly where you stand.
Book Your IT Fit CheckNo obligation. No lock-in. We work with independent practices of 5–50 users across Christchurch and wider NZ.
Based in Christchurch, serving practices across New Zealand.