‘Malicious actor’ steals health staff data

NEWS - eHealthNews.nz editor Rebecca McBeth 

A ‘malicious actor’ accessed and downloaded occupational health and safety information of some Health New Zealand | Te Whatu staff during an IT security breach last October, the organisation has confirmed.

The breach affected employees from the Capital, Coast & Hutt Valley and Wairarapa districts over a four-year period and the perpetrator is likely to face criminal charges.

New Zealand’s largest trade union says that proposed cuts to Health NZ’s data and digital directorate will further compromise the security of the sensitive information it holds. 

Health NZ says in a statement that as soon as the breach was detected, immediate action was taken to secure its systems and investigate the extent of the impact. 

“That investigation has since shown the malicious actor accessed and downloaded occupational health and safety information relating to some current and former staff members across two Central region districts – Capital, Coast & Hutt Valley, and Wairarapa - covering the period from 2020 to 2024,” Health NZ said.

The affected information ranges from general occupational health and safety records to more sensitive personal data, including medical assessments and health-related correspondence. 

Health NZ reassured staff that there is currently no evidence the data has been shared publicly. 

“We deeply regret that this has happened and sincerely apologise to anyone affected,” the agency said, adding that it continues to monitor the situation.

Health NZ is consulting on plans to slash 1120 net roles from the data and digital directorate’s current workforce of 2405 FTE as part of an effort to save $100 million a year from its budget.

Public Service Association (PSA) national secretary Fleur Fitzsimons says data and digital staff warned Health NZ last year about the rising risks if the cuts went ahead.

“This is just more proof that the damaging cuts to data and digital must be reversed, or more sensitive patient and staff information will be put at risk,” Fitzsimons says. 

“Enough is enough. The latest breach should be ringing alarm bells in the Beehive. We urge the Minister to stop the cuts and reassure New Zealanders their information will be safe and secure.”

eHealthNews reported this month that the Minister of Health has asked Health NZ to assure him that proposed changes to its data and digital team will not impact frontline service delivery.

Health NZ says it reported the breach to the Office of the Privacy Commissioner and New Zealand Police, with criminal charges expected against the malicious actor. Meanwhile, it has advised people to remain vigilant against scams.

The national health organisation also pledged to strengthen its cybersecurity measures and learn from the incident. 

“We are committed to continually strengthening our protections and will learn from this incident to make improvements to help prevent something similar from happening again,” a statement says.

To comment on or discuss this news story, go to the eHealthNews category on the HiNZ eHealth Forum

You’ve read this article for free, but good journalism takes time and resource to produce. Please consider supporting eHealthNews by becoming a member of HiNZ, for just $17 a month

Read more Information Governance news

Return to eHealthNews.nz home page