UPDATE 2: Unauthorised data breach and attempt to spread misinformation

Health New Zealand Te Whatu Ora has taken action today [19 December 2023] in relation to claims on social media connected to a recent data breach by a staff member.

We believe the threat in the social media post to release private health information accessed from Te Whatu Ora breaches current orders from the Employment Relations Authority and as such we have responded accordingly.

The Covid vaccination data set previously posted on overseas websites contained information which included vaccination information and dates, though the contents were altered to anonymise individuals.

Our investigation thus far has shown that with considerable effort, we believe someone with expert technical knowledge could potentially identify a very small number of individuals, some of these individuals are deceased. Once our forensic work is complete, we will contact the families of those that could be identified.

We can also confirm that the investigation has found the employee inappropriately sent some other information outside the organisation. There is no evidence at this time this information was shared publicly, or with other people, however we are working with experts to provide us with further assurance this information was not shared more widely.

Once our work is complete, we will contact those significantly impacted by this breach.

Since we became aware of the breach of privacy, we have taken the following steps:

1. The employee’s access to our systems and information was immediately disabled.

2. The Office of the Privacy Commissioner was promptly notified and we have worked closely with them to take all the appropriate steps related to this incident.

3. We have placed the highest priority on investigative work, including using cross-government skills and international expertise in cyber and data security.

4. We obtained urgent orders from the Employment Relations Authority that prohibits sharing of relevant information (both by the employee and other parties).

5. We have successfully requested that information be taken down from various websites and internet platforms, including internationally.

6. We are working with several government agencies.

7. We will continue to cooperate with NZ Police regarding their investigation.

We wish to thank all organisations who have assisted us in some way, recognising the importance of protecting personal information. This includes government agencies and companies who have responded in a timely way to support our work.

Alongside our operational response we are looking at our processes for data security and will make any changes that are needed to further increase the security of information.”