A "malicious actor" has accessed and downloaded private information about staff in districts in the lower North Island, Health NZ says.
In a message that has gone out to staff today, the agency said it had reported the incident to police and would be publishing a "public privacy notification" for staff at Capital and Coast, Hutt and Wairarapa.
"This issue relates to an IT security incident in October 2024 that resulted in a malicious actor gaining unauthorised access to some of our staffs' information.
"Our subsequent investigation has shown that a malicious actor unlawfully accessed and downloaded occupational health and safety information relating to some current and former staff members at Capital, Coast & Hutt Valley, and Wairarapa districts covering the period from 2020 to 2024.
"The information affected ranges from some staff members' general occupational health and safety information to more sensitive personal information, such as medical assessments and health-related correspondence."
Health NZ said there was no evidence that the impacted information had been shared or posted online anywhere.
"We continue to monitor this.
"We deeply regret that this has happened, and we will be apologising to anyone affected and providing full wrap-around support. "
As soon as the agency became aware of the incident in October, it took "immediate steps" to secure its systems and launched an investigation.
"We notified the Office of the Privacy Commissioner and reported it to NZ Police. The Police are actively investigating, and we understand that criminal charges will be laid against the malicious actor."
The agency said the investigation had been complex, which is why it had taken five months to issue the notification.
"Due to the complexity of the data, it has not been practical to individually notify those impacted, which is why we are today issuing public notice of the privacy breach on the external and internal websites of Capital, Coast & Hutt Valley, and Wairarapa districts."
"Wrap around support" was available to affected staff.
"We are incredibly disappointed this breach has occurred and have taken steps to prevent something similar from happening again. Right now, however, our focus is firmly on our affected kaimahi and supporting them."
RNZ understands health worker unions were advised at 10am.
Health NZ said it was working on a response to RNZ's questions.
The Public Service Association national secretary Fleur Fitzsimons said it was another wake-up call for the government to urgently reverse huge cuts proposed to Health NZ's data and digital workforce.
"This is just more proof that the damaging cuts to Data and Digital must be reversed, or more sensitive patient and staff information will be put at risk."
Earlier, the PSA asked the Privacy Commissioner to investigate the cuts. The commissioner has said it was reviewing material.
