Privacy breach public notice
In October 2024, Health New Zealand | Te Whatu Ora Central region was subject to an IT security incident that resulted in a malicious actor gaining unauthorised access to some local organisational information.
Privacy breach public notice — Wairarapa
In October 2024, Health New Zealand | Te Whatu Ora Central region was subject to an IT security incident that resulted in a malicious actor gaining unauthorised access to some local organisational information.
As soon as we became aware, we took immediate steps to secure our systems and started an investigation to determine what information was impacted.
That investigation has since shown the malicious actor accessed and downloaded occupational health and safety information relating to some current and former staff members across two Central region districts – Capital, Coast & Hutt Valley, and Wairarapa - covering the period from 2020 to 2024.
The information affected in this breach ranges from some staff members’ general occupational health and safety information to more sensitive personal information, such as medical assessments and health-related correspondence.
There is no evidence the impacted information has been shared by the malicious actor or posted online anywhere. We will continue to monitor this.
We deeply regret that this has happened and sincerely apologise to anyone affected.
Health NZ’s investigation into this incident was complex, which has contributed to the time taken for us to issue this notification. Please be assured that we took swift action at the time to secure our systems and implement measures to prevent further risks. Due to the complexity of the data, it has unfortunately not been practical to individually notify those impacted.
At the time of the incident, Health NZ took immediate action to contain it. We also reported it to the Office of the Privacy Commissioner and to the NZ Police. The NZ Police are actively investigating, and we understand that criminal charges will be laid against the malicious actor.
People should remain vigilant against the risk of scams and unsolicited correspondence, such as phone calls, emails, or messages on social media. We strongly advise caution when sharing personal information and to verify the authenticity of any communication before responding.
Support and additional information (internal link)
Health NZ takes its obligations to protect the privacy and security of personal information extremely seriously. We are committed to continually strengthening our protections and will learn from this incident to make improvements to help prevent something similar from happening again. This work has already started.
If you are a current or former staff member of Health NZ who utilised Capital & Coast, Hutt Valley or Wairarapa District occupational health and safety services during 2020-2024 and you think you may have been impacted or if you have any questions about your information, email Health NZ at securityinfo@tewhatuora.govt.nz. Our team is available to provide assistance and support.
Affected individuals also have the right to make a complaint with the Office of the Privacy Commissioner at any time.
Support and additional information
There are multiple support options available to impacted people. Contact Health NZ directly to determine if you are an impacted person in this breach.
The Mental Health Foundation is a charity that can provide advice and additional help in the form of mental health services. A number of support services can be found on their website.
Helplines — Mental Health Foundation (external link)
We recommend the following tips to help keep your information safe and secure:
- Stay alert — do not respond to suspicious telephone calls, text messages or unsolicited contact on social media.
- Do not give out any personal information - do not share your personal information with anyone unless you are confident about who you are sharing it with.
- Be smart with social media — set your privacy so that only friends and family can see your information. This will also help prevent unwanted contact through these channels.
- Check the URL — confirm that links are directing you to a legitimate website by hovering over the link before clicking. If in doubt, open up a separate browser and use a search engine to find the website.
- Set up two-factor authentication - enable multi-factor authentication for your online accounts where possible, including your email, banking, and social media accounts.
- Install antivirus software — ensure you have up-to-date anti-virus software installed on any device you use to access your online account.
- Choose unique passwords — have a different password for all your online accounts. If one account is compromised, having unique passwords means your other accounts are not at risk. Own Your Online provides guidance around good password practice.
Create good passwords — Own Your Online (external link) - Get more top tips — review the New Zealand Ministry of Business, Innovation & Employment's Scamwatch guidance on protecting yourself from scams.
Scamwatch — Consumer Protection (external link)