A “malicious actor” accessed and downloaded private information, some of it “sensitive”, about some former and current staff in the lower North Island, Health New Zealand says.
In a message to staff today, the agency said an investigation revealed occupational health and safety information had been accessed and downloaded in October 2024 in an “IT security incident” affecting Health New Zealand Te Whatu Ora Central region.
It related to some former and current staff members from the Capital, Coast & Hutt Valley, and Wairarapa regions between 2020 and 2024.
“The information affected in this breach ranges from some staff members’ general occupational health and safety information to more sensitive personal information, such as medical assessments and health-related correspondence.”
Health NZ said there was no evidence the downloaded information had been shared or posted online and that it continued to monitor this.
“We deeply regret that this has happened, and we will be apologising to anyone affected and providing full wrap-around support.”
The investigation had been “complex” which was why it took five months to issue the notification, Health NZ said.
“Due to the complexity of the data, it has unfortunately not been practical to individually notify those impacted.”
Immediate steps to secure systems and prevent further risks were taken as soon as the incident occurred, the statement said.
“We also reported it to the Office of the Privacy Commissioner and to the NZ Police. The NZ Police are actively investigating, and we understand that criminal charges will be laid against the malicious actor.”
Police confirmed it was “actively investigating” the complaint and said it could not provide further specifics at this point of the probe.
“The cybercrime Unit is continuing to undertake its inquiries.”
The Office of the Privacy Commissioner said it was being kept up to date with the steps being taken by Health NZ in response to the breach.
“OPC are continuing to engage with Health New Zealand over how the breach happened, what is being done in response to it, and steps being taken to ensure that this sort of breach cannot occur again.”
Health Minister responds
Health Minister Simeon Brown said he had asked for assurances that proposed cuts to Health NZ’s IT teams would not affect frontline services.
The agency had proposed to axe almost half of more than 2000 digital and data roles and scrap or defer 136 IT projects.
When asked about the impact cuts could have on cybersecurity, Brown said he had sought assurances that Health NZ was protecting patient data and that it had the people in place to do that.
“They’re going through a process, they’re consulting with staff, they will do that properly before making any final decisions.”
He added that it was “really important” staff working with data systems were “not clicking on links and are appropriately trained”.
“That’s work Health NZ is doing to make sure this doesn’t happen again.”