Te Whatu Ora Health New Zealand has disclosed details of a breach in the IT system of one of its regional offices five months ago.
In October, a hacker accessed and downloaded organisational and potentially sensitive staff information from Te Whatu Ora Central Region.
Compromised data includes some general occupational health and safety information and sensitive data, including medical assessments and health-related correspondence, covering 2020 and 2024. The breach involves two Central region districts: Capital, Coast and Hutt Valley, and Wairarapa.
"There is no evidence the impacted information has been shared by the malicious actor or posted online anywhere. We will continue to monitor this," Te Whatu Ora stressed.
Te Whatu Ora has also yet to provide an estimated count of the affected individuals. Given the incident's "complexity," it was not able to notify each of them. "Health NZ takes its obligations to protect the privacy and security of personal information extremely seriously," the organisation maintained.
The Privacy Commissioner and NZ Police have since been engaged in the case, with the police intending to file a criminal charge against the suspected hacker.
THE LARGER TREND
This latest cyber attack comes as Te Whatu Ora plans to downsize its workforce, including many data and digital positions. The trade union Public Service Association warned that such a move may not help further prevent IT breach risk.
The organisation, which was set up in 2022, has already dealt with some cyber incidents. In late 2023, a former Te Whatu Ora employee leaked the COVID-19 vaccination data of around 12,000 people to international websites. The perpetrator has since been pressed with criminal charges by the police.
A year back, in 2022, one of Te Whatu Ora's IT service providers reported a cyber attack, which impacted about 14,000 data related to bereavement and cardiac services.
In its recently concluded investigation into the alleged misuse of COVID-19 vaccination data, the Public Service Commission flagged Te Whatu Ora's insufficient back-end protection of sensitive information shared with its third-party service providers.
Following the major cyberattack on the former Waikato District Health Board in 2021, the New Zealand health system operator was advised to enhance its Coordinated Incident Management System, systematic logging and monitoring of its data estate.