CHRO offers 'sincere' apologies after sensitive staff data accessed from Health NZ's Central region —investigations continue
Health New Zealand | Te Whatu Ora has publicly confirmed that a malicious actor gained unauthorised access to staff occupational health and safety records across two of its Central region districts. The breach, which occurred in October 2024, affected current and former employees linked to Capital, Coast & Hutt Valley, and Wairarapa districts between 2020 and 2024.
In a privacy notice published on 27 March 2025, Health NZ said it had taken immediate action to secure its IT systems and launched an internal investigation, which has since concluded that sensitive information was accessed and downloaded. The affected data ranges from general workplace health and safety information to more personal material, including medical assessments and health-related correspondence.
While there is currently no indication that the stolen data has been distributed or posted online, Health NZ said it continues to monitor the situation closely. The agency has apologised to those impacted, saying, “We deeply regret that this has happened and sincerely apologise to anyone affected.”
Due to the complexity of the breach, Health NZ said it was not practical to notify affected individuals directly. The matter has been reported to the NZ Police and the Office of the Privacy Commissioner. Health NZ also confirmed that criminal charges are expected to be laid.
The agency urged vigilance among staff, recommending practical steps such as enabling two-factor authentication, being cautious with unsolicited communications, and reviewing Scamwatch resources provided by MBIE.
Health NZ staff were officially notified of the breach on 27 March via internal communications, with Radio New Zealand (RNZ) confirming that union representatives were informed earlier the same morning.
In its coverage, RNZ quoted Health NZ’s interim chief human resources officer Fiona McCarthy, who reiterated the agency’s regret: “We deeply regret that this has happened, and we sincerely apologise to any of our staff who may be affected.”
She stressed that the breach was limited in scope and did not involve patient information. “It is not a system-wide issue,” McCarthy added. “We have already begun to make changes to help prevent something like this from happening again.”
Health Minister Simeon Brown also addressed the incident, stating that he had sought assurances that recent and proposed cuts to Health NZ’s data and digital services would not compromise the protection of sensitive information.
“Cybersecurity is frontline work,” Brown said in the RNZ article. “It’s not about just protecting bureaucracy. It’s about protecting delivery.”
The breach has triggered broader concerns from public sector unions. Fleur Fitzsimons, national secretary of the Public Service Association (PSA), criticised government cost-cutting measures, warning that reduced investment in data and digital roles increases the risk of further breaches.
“This is just more proof that the damaging cuts to Data and Digital must be reversed, or more sensitive patient and staff information will be put at risk,” she said in the RNZ article.
The Office of the Privacy Commissioner confirmed it had been notified and is actively engaging with Health NZ to understand how the breach occurred and what mitigation steps are being implemented. Meanwhile, the NZ Police Cybercrime Unit continues its investigation.
