🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇳🇿 NZ › Healthcare

Pinnacle Midlands Health Network

🇳🇿 Hamilton, Waikato · Pinnacle Incorporated (Midlands Health Network) · Record NZ-2022-0088
○ Reported — awaiting official confirmation
Reported — awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
450,000 (approx)
Breach date
2022-09
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
B · Reported

Data exposed

Patient addresses and National Health Index (NHI) numbers Company-confirmed
Immunisation and screening status, and data about services provided Company-confirmed

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In October 2022 Pinnacle Midlands Health Network — a large North Island GP network operating across Waikato, Taranaki and Tairāwhiti — disclosed that cyber attackers had stolen and then published patient data on the dark web, affecting up to 450,000 people [rnz-pinnacle]. The exposed information included patient addresses, National Health Index (NHI) numbers, immunisation and screening status, and data about services provided [rnz-pinnacle].

Timeline

  • 2022-09 — Unauthorised access is understood to have occurred roughly two weeks before public notification [rnz-pinnacle].
  • 2022-10-10 — Pinnacle notified the public; within 24 hours it confirmed stolen data had been posted to the dark web [rnz-pinnacle].

Current status

Pinnacle said it was working with Police and the Office of the Privacy Commissioner. The figure of “up to 450,000” is the organisation’s own upper estimate as reported; the attackers’ identity was not established at the time of reporting [rnz-pinnacle], [nzh-pinnacle].

Why it matters

A primary-care network holds identifying and clinical data on a very large population. The publication of that data to the dark web — including NHI numbers — makes this one of the most serious health-sector breaches on the New Zealand record.

GGOVERN Tabletop Exercises · Govern house When ransomware hits the ward, will your team know the call? Book a Discovery Call →