The medical data of patients across Wellington, Kapiti and Wairarapa may have been breached.
An investigation into the August cyberattack on Primary Health Organisation (PHO) Tū Ora Compass Health, has revealed earlier ones dating back to 2016.
- New Zealand offers potential for 'Chinese espionage'
- PM denies intelligence pointed to China in Anne-Marie Brady burglaries
- GCSB, NZSIS concerned about foreign interference in New Zealand election
Tū Ora holds data on individuals dating back to 2002 and says anyone enrolled from that time could be affected. Estimates put the number of people that could have been affected at up to one million.
It said hackers could not have accessed private GP notes as they're held by individual medical centres rather than the PHO.
The Ministry of Health says there was some important data in Tu Ora's systems.
"The data does include who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address," the Ministry of Health said in a statement.
"For some people Tū Ora also holds additional clinical information used for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services."
Tū Ora said there's no evidence patient data was accessed but people should be wary of unusual online requests.
Anyone who is concerned or wants to know more can call Tū Ora's help line on 0800 499 500.
Tū Ora said it has notified the police.
Anyone who is concerned by the incident is urged to call 0800 499 500 or +64 6 927 6930 for overseas callers.