What happened
In late 2024 a malicious external actor accessed and downloaded occupational health and safety information about Health New Zealand staff in the Central region, spanning 2020โ2024; Health NZ disclosed it in March 2025 [hnz-rnz], [hnz-twora]. This is a separate incident from the 2024 insider breach of the Covid-19 vaccination register also in this register.
Current status
Disclosed. Health NZ notified the Office of the Privacy Commissioner and the NZ Police Cybercrime Unit is investigating [hnz-rnz]. No count of affected staff was published, so none is asserted here.
Why it matters
Staff occupational-health records include sensitive medical assessments; their theft by an external actor โ tied to an attempt to spread misinformation โ raises both privacy and integrity concerns for the health system.