Many health IT systems across the motu were vulnerable to attack due to staff shortages and deferred upgrades according to a former IT staffer from the affected region. Photo: 123RF
- Police cyber crime unit investigating breach of "sensitive" Health NZ staff data and expects to lay charges
- Health NZ tight-lipped on whether employee or hacker involved
- Ex-staffer says short-staffing and lack of funding for upgrades has led to "insecure systems"
Health NZ is refusing to confirm whether the "malicious actor" behind a data breach involving staff's personal health information was an external hacker or an inside job.
However, a former IT staffer from the affected region - who RNZ has agreed not to name - said many systems "across the motu" were vulnerable to attack due to staff shortages and deferred upgrades.
The agency informed current and former staff at Capital, Coast and Hutt and Wairarapa on Thursday about the breach in October.
It involved occupational health and safety information about staff, including what the agency described as "sensitive personal information".
Health NZ's interim human resources officer Fiona McCarthy said it was "not a system-wide issue" and the health information of members of the public was not affected.
"The incident happened late last year and as soon as we became aware, we took immediate steps to secure our systems and launch an investigation," she said.
"We deeply regret that this has happened, and we sincerely apologise to any of our staff who may be affected."
A systems engineer, who worked for Health NZ until earlier this year, said he was still waiting to hear if he had personally been affected by the breach - but was "not surprised" that it had happened.
While he was not part of the investigation into the breach, he had been aware of it.
"They need more engineers. I had a discussion with my team leader, and he agreed we needed about 50 more people who know what they're doing, looking after Capital and Coast, Hutt and Wairarapa."
It was "a fairly small team" doing its best to secure ageing infrastructure, he said.
"It's all well and good to merge 'the business' [turn 20 district health boards into a single agency] but exponentially more complicated to merge the IT.
"You're talking about very large, complex, regional wide-ranging infrastructure with millions, even billions, of moving parts: all those systems, all those archives, all those databases over so many years - and lots of people with access."
Furthermore, there was not enough investment for upgrades, he said.
"We didn't get the funding to do as many of the upgrades as we wanted to do, so the result is a hodge-podge over time, and insecure systems."
Many IT staff were leaving Health NZ, even before the final confirmation of cuts to data and digital, he said.
"A lot of people are upset at the changes."
RNZ asked Health NZ for its response to the ex-worker's claims about IT staff shortages and requests for resources being declined, but was told it had "nothing further to add to the statement at this time".
More breaches likely - union
Public Service Association national secretary Fleur Fitzsimons said the incident was a stark warning that the government needed to urgently rethink budget cuts.
"This is serious and it's appropriate that the police are involved.
"Alarm bells are ringing and this will be just the beginning of serious privacy breaches if the data and digital cuts are not revised."
Te Whatu Ora has proposed to cut almost half its data and digital positions - more than 1000 of them, including vacant roles - and cut or pause more than 100 projects.
Internal documents revealed its new strategy to "fail early, fail often, succeed over time", which was labelled "unacceptable" by the PSA.
Health Minister wants assurances patients won't be affected
Health Minister Simeon Brown said he had "asked for assurances" that front-line service delivery would not be affected.
Health NZ was working to prevent further data breaches, including staff training to ensure no-one with access to a database "clicked on any links", he said.
Health NZ declined to say whether the breach was the result of an external cyber attack or a rogue employee, or what the potential motivation may have been.
It said due to the ongoing police investigation, it was unable to add anything to its earlier statement.
The vulnerabilities of Health NZ's IT systems have been exposed previously.
Waikato District Health Board was warned its IT security was inadequate and severely compromised just months before a devastating ransomware attack in 2021.
In December 2023, IT worker Barry Young was charged with dishonestly accessing databases belonging to his former employer, Health NZ.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
