Privacy Breach Public Notice

As soon as we became aware, we took immediate steps to secure our systems and started an investigation to determine what information was impacted.  

That investigation has since shown the malicious actor accessed and downloaded occupational health and safety information relating to some current and former staff members across two Central region districts – Capital, Coast & Hutt Valley, and Wairarapa - covering the period from 2020 to 2024. 

The information affected in this breach ranges from some staff members’ general occupational health and safety information to more sensitive personal information, such as medical assessments and health-related correspondence.  

There is no evidence the impacted information has been shared by the malicious actor or posted online anywhere. We will continue to monitor this. 

We deeply regret that this has happened and sincerely apologise to anyone affected. 

Health NZ’s investigation into this incident was complex, which has contributed to the time taken for us to issue this notification. Please be assured that we took swift action at the time to secure our systems and implement measures to prevent further risks. Due to the complexity of the data, it has unfortunately not been practical to individually notify those impacted.  

At the time of the incident, Health NZ took immediate action to contain it. We also reported it to the Office of the Privacy Commissioner and to the NZ Police. The NZ Police are actively investigating, and we understand that criminal charges will be laid against the malicious actor.    

People should remain vigilant against the risk of scams and unsolicited correspondence, such as phone calls, emails, or messages on social media. We strongly advise caution when sharing personal information and to verify the authenticity of any communication before responding. Please refer to the "Support and Additional Information" below for practical steps you can take to protect yourself. 

Health NZ takes its obligations to protect the privacy and security of personal information extremely seriously. We are committed to continually strengthening our protections and will learn from this incident to make improvements to help prevent something similar from happening again. This work has already started.   

If you are a current or former staff member of Health NZ who utilised Capital & Coast, Hutt Valley or Wairarapa District occupational health and safety services during 2020-2024 and you think you may have been impacted or if you have any questions about your information, please email Health NZ at securityinfo@tewhatuora.govt.nz. Our team is available to provide assistance and support.  

Affected individuals also have the right to make a complaint with the Office of the Privacy Commissioner at any time. For more information on how to do so, please visit https://privacy.org.nz. 

Support and additional information

What support is available?  

There are multiple support options available to impacted people. Please contact Health NZ directly to determine if you are an impacted person in this breach.  

 Where can you get mental health and wellbeing support?  

The Mental Health Foundation is a charity that can provide advice and additional help in the form of mental health services. A number of support services can be found on their website: www.mentalhealth.org.nz/helplines, including:  

• free call or text 1737 for support anytime from a trained counsellor; 

• Suicide Crisis Helpline – 0508 828 865 (0508 TAUTOKO). 

What protective steps can you take?  

We recommend the following tips to help keep your information safe and secure: 

• Stay alert – do not respond to suspicious telephone calls, text messages or unsolicited contact on social media. 

• Don’t give out any personal information - do not share your personal information with anyone unless you are confident about who you are sharing it with. 

• Be smart with social media – set your privacy so that only friends and family can see your information. This will also help prevent unwanted contact through these channels. 

• Check the URL – confirm that links are directing you to a legitimate website by hovering over the link before clicking. If in doubt, open up a separate browser and use a search engine to find the website.   

• Set up two-factor authentication - enable multi-factor authentication for your online accounts where possible, including your email, banking, and social media accounts. 

• Install antivirus software - ensure you have up-to-date anti-virus software installed on any device you use to access your online account. 

• Choose unique passwords – have a different password for all your online accounts. If one account is compromised, having unique passwords means your other accounts aren’t at risk. CERT NZ provides guidance around good password practice here:  
  https://www.ownyouronline.govt.nz/personal/get-protected/guides/how-to-create-good-passwords/