Photo: 123rf.com
A "malicious actor" has accessed and downloaded private information about staff in districts in the lower North Island," Health NZ says.
In a message that has gone out to staff today, the agency said it had reported the incident to police and would be publishing a "public privacy notification" for staff at Capital and Coast, Hutt and Wairarapa.
"This issue relates to an IT security incident in October 2024 that resulted in a malicious actor gaining unauthorised access to some of our staffs' information.
"Our subsequent investigation has shown that a malicious actor unlawfully accessed and downloaded occupational health and safety information relating to some current and former staff members at Capital, Coast & Hutt Valley, and Wairarapa districts covering the period from 2020 to 2024.
"The information affected ranges from some staff members' general occupational health and safety information to more sensitive personal information, such as medical assessments and health-related correspondence."
Health NZ said there was no evidence that the impacted information had been shared or posted online anywhere.
"We continue to monitor this.
"We deeply regret that this has happened, and we will be apologising to anyone affected and providing full wrap-around support. "
If you are a victim of the IT breach please contact ruth.hill@rnz.co.nz
As soon as the agency became aware of the incident in October, it took "immediate steps" to secure its systems and launched an investigation.
"We notified the Office of the Privacy Commissioner and reported it to NZ Police. The Police are actively investigating, and we understand that criminal charges will be laid against the malicious actor."
The agency said the investigation had been complex, which is why it had taken five months to issue the notification.
"Due to the complexity of the data, it has not been practical to individually notify those impacted, which is why we are today issuing public notice of the privacy breach on the external and internal websites of Capital, Coast & Hutt Valley, and Wairarapa districts."
"Wrap around support" was available to affected staff.
"We are incredibly disappointed this breach has occurred and have taken steps to prevent something similar from happening again. Right now, however, our focus is firmly on our affected kaimahi and supporting them."
RNZ understands health worker unions were advised at 10am.
Health NZ said it was working on a response.
Its interim chief human resources officer, Fiona McCarthy, said it was "not a system wide issue" and patient information about members of the public was not affected.
"We deeply regret that this has happened, and we sincerely apologise to any of our staff who may be affected," she said.
The information ranged from some staff members' general occupational health and safety information to "more sensitive personal information", collected from 2020 to 2024.
"There is no evidence this information has been shared or uploaded online anywhere. We are continuing to monitor this."
The matter had been reported to both the the Office of the Privacy Commissioner and to the police.
"The police are actively investigating and expect to lay charges. We will not be sharing further details while this is underway."
She said Health NZ continued to take the security of the information it held "extremely seriously".
"We have already begun to make changes to help prevent something like this from happening again," McCarthy said.
Meanwhile, any current or former staff member who used Capital, Coast & Hutt Valley or Wairarapa District occupational health services during that period and thought they could have been affected was urged to contact Health NZ, she said.
Health Minister Simeon Brown said he had asked for "assurances" that cuts to data and digital services at Health NZ would not affect the security of patient data.
In response to questioning, Brown confirmed he considered cyber security to be "front-line work".
"I've asked for assurances to ensure that front-line service delivery is protected. Ultimately ...It's not about just protecting bureaucracy. It's about protecting delivery, and that's the assurance I've asked for."
Brown said Health NZ was following its own processes for dealing with the breach.
"Ultimately, it's really important that anyone working with data systems has to make sure they're not clicking on links and they're appropriately trained, and that's part of the work that Health NZ is doing to make sure this doesn't happen again."
The Office of the Privacy Commissioner (OPC) said Te Whatu Ora had "notified" it of the breach.
"OPC are continuing to engage with Health New Zealand over how the breach happened, what is being done in response to it, and steps being taken to ensure that this sort of breach cannot occur again."
A police spokesperson confirmed it was "actively investigating" the complaint made by Health NZ.
"We are not able to provide further specifics at this point in the investigation. The Cybercrime Unit is continuing to undertake its enquiries."
The Public Service Association national secretary Fleur Fitzsimons said it was another wake-up call for the government to urgently reverse huge cuts proposed to Health NZ's data and digital workforce.
"This is just more proof that the damaging cuts to Data and Digital must be reversed, or more sensitive patient and staff information will be put at risk."
Earlier, the PSA asked the Privacy Commissioner to investigate the cuts. The commissioner has said it was reviewing material.
