Te Whatu Ora data breach has vaccinators fearing for their safety

Rowan Quinn for RNZ

A nurse says she will be looking over her shoulder for years after her name was published online in an unauthorised leak of Te Whatu Ora data.

At least 12,000 people, most of them vaccinators, had personal information released online after the breach, and the woman is one of those who were notified by Te Whatu Ora that her name was published on a US website.

The nurse, who did not want her name used, said she was shocked to receive an email from Te Whatu Ora on Friday telling her her name was on the list.

She was not sure what else to do to feel safer, and so far had asked her landlord to fix her fence.

"I just worry that someone will come to my house and threaten me and my children," she said.

The email to the vaccinators said their names were found on a document on the US site on 25 January.

"To the best of our knowledge, your name was removed from the publicly available file on 29 January," it said. "In saying this, I also need to acknowledge that the information is still held by one or more parties outside of our control."

The nurse worried people might track her down years later and wanted Te Whatu Ora to guarantee it would support any nurses with safety help long-term.

She felt let down by the breach. The importance of privacy was drilled into her and her colleagues in training and she had expected the same from Te Whatu Ora, she said.

"I assumed that their standard of confidentiality and privacy would be top-tier, pretty much everything sealed so nothing like this could happen," she said. "I'm quite frustrated they haven't upheld their side of keeping us, as nurses, safe in New Zealand during a pandemic."

Union The Nurses Society represented about 6000 nurses, and its director David Willis said they had heard from a lot of worried people. They were also concerned that they could be approached.

Wills said he had not spoken to anyone who had been threatened or harassed, but the union had emailed advice to all its members on what to do if they were.

"Of course, people are mindful that [the data] is still in the hands of people outside their control and that is concerning and disturbing and hopefully Te Whatu Ora has taken steps to make sure that doesn't happen again."

In a statement, Te Whatu Ora chief of people Andrew Slater said any unauthorised release of data was a gross breach of trust and they were very disappointed.

The agency understood staff and the public trusted them with sensitive data, and it was working to improve internal controls and strengthen data security, he said.

He apologised to all those impacted.

The agency had set up a helpline the vaccinators can call, and its letter suggested other services to go to as well if people wanted advice.

Former Te Whatu Ora employee Barry Young was due in court on Friday, accused of accessing a computer for dishonest purposes in relation to the leaked Te Whatu Ora data.