The Ministry of Health is in the dark over what - if anything - was taken in the cyber attack two months ago.
It has admitted the hack attack revealed previous cyber intrusions going back to 2016.
The hack attack appears to have come from a hacker or hackers dubbed Vanda The God, which this morning tweeted about the exploit saying: “Yes I’m Have 1 million datas PHO Zealand.”
The tweet came with an offer to sell information.
Minister of Health David Clark is facing calls to offer assurance to New Zealanders over the security of their information amid claims medical information at risk includes mental and sexual health details.
Director-General of Health Dr Ashley Bloomfield said the National Cyber Security Centre had been working with health authorities on the hack since it was discovered in early August.
He said a decision had been made to not tell the public while effort went into checking how vulnerable other systems were, and while trying to discover if any data had actually been taken.
He said the review of health-related systems had since found three district health boards vulnerable to cyber attack.
He said the review from mid-September aimed to discover further vulnerabilities and was ongoing.
It would include all health boards and public health organisations.
He said he was unsure the extent to which the Government Communications Security Bureau's Cortex security system was in place across district health boards. He said public health organisations were not covered.
The review identified four hacks: two by cyber "hacktavists" such as Vanda The God, and two others by more "sophisticated" parties.
Cyber attacks tend to be divided between state-sponsored intrusion, criminal enterprises and cyber activists.
Bloomfield did not have further details about the "sophisticated" attack.
The Ministry of Health said the data at risk included who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address. It could also include clinical information for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services.
Tū Ora Compass Health chief executive Martin Hefford said the August 5 hack was part of a "global cyber incident" which led to an investigation revealing the earlier attacks from 2016 through to March 2019.
"We don't know the motive behind the attacks. We have laid a formal complaint with police and they are investigating.
"We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people."
Hefford said Tū Ora held data on people going back to 2002 from the Wellington, Wairarapa and Manawatu regions.
Anyone enrolled at a medical centre during that time period could be affected, it said.
The information at risk did not include GP notes, which were held by individual medical centres.
"While this was an illegal attack by cyber criminals, it was our responsibility to keep your data safe and I am very sorry we have failed to do that.
"While we have no evidence that patient data was accessed, we encourage you to be vigilant to unusual online requests."
National Party health spokesman said Clark had to reassure the public about the security of their information held on government systems.
"This cyber security breach may have seen information about the mental health, sexual health and other private enrolment information of several thousand past and present patients of practices with Tū Ora Compass PHO accessed and in criminal hands. This is an extremely serious and concerning breach."
• An information line has been set up to help those who may be at risk. It is 0800 499 500 or 06 9276930 for those calling from overseas.