Cyber Incident Victim: Te Whatu Ora Health New Zealand

In October 2024, Te Whatu Ora Health New Zealand disclosed a breach involving unauthorized access to IT systems within its Central Region, which occurred five months prior. A malicious actor infiltrated regional systems and downloaded organizational data alongside sensitive staff information, including occupational health and safety records, medical assessments, and health-related correspondence spanning 2020–2024. The breach impacted two districts: Capital, Coast and Hutt Valley, and Wairarapa. Te Whatu Ora confirmed no evidence of public dissemination or online posting of the stolen data but acknowledged an inability to estimate the number of affected individuals or conduct direct notifications due to the incident’s complexity. The organization engaged the Privacy Commissioner and New Zealand Police, with law enforcement pursuing criminal charges against the suspected attacker.

This incident aligns with prior cybersecurity challenges faced by Te Whatu Ora since its 2022 establishment. In late 2023, a former employee leaked COVID-19 vaccination records of approximately 12,000 individuals to international sites, resulting in criminal charges. A separate 2022 breach involving an IT service provider compromised 14,000 records related to bereavement and cardiac services. Investigations into the 2023 leak highlighted insufficient back-end protections for data shared with third-party vendors. Additionally, the 2021 cyberattack on Waikato District Health Board—predecessor to Te Whatu Ora—prompted recommendations to strengthen incident management systems, logging protocols, and data estate monitoring, though specific implementation outcomes were not detailed in the disclosure of the 2024 breach.