National Party stalwart Michelle Boag gave officials her private email address when asked where best to send a daily list of Covid-19 patients, the Director General of Health says.
Boag was receiving the sensitive information as the chief executive of the Auckland Rescue Helicopter Trust - a role she has since resigned from.
She then sent patient data to two National MPs. One of them, Hamish Walker, then passed the information on to three media outlets, including RNZ.
The move ultimately cost Walker his political career - he announced last week he will not be seeking re-election in his Southland electorate at the upcoming election.
National's Health spokesperson Michael Woodhouse confirmed on Friday he had received four unsolicited emails from Boag containing patient information between 21 and 25 June.
In a media briefing with Health Minister Chris Hipkins this afternoon, Director-General of Health Dr Ashley Bloomfield said officials had been sending the Covid-19 patient details to the Auckland Rescue Helicopter Trust, via Boag's email address, for months.
"The team had explicitly sought from all the organisations who were receiving that information for a very particular purpose in a well established process...what the appropriate email address was to send the information to," Bloomfield said.
RNZ has been told the email address Boag had provided officials was the email address linked to her PR and political consultancy company, Boag Allan SvG.
The process to notify emergency services where the country's Covid-19 cases were located - with the aim of safeguarding emergency workers - had been established months ago, Dr Bloomfield said.
"In case they had to visit a premise where there might be someone who had infection and they could protect their staff and take appropriate measures," he said.
Dr Bloomfield refused to say if he was disappointed in the leak, or whether rescue helicopter trusts should be receiving private patient data, while the matter was still under investigation by Michael Heron.
The government ordered the State Services inquiry into the breach last Monday. It will look at "who or what caused the disclosure of the information, identifying what, if anything might have prevented this from happening and what, if any, improvements might prevent this from happening in the future."
Heron is expected to report back at the end of the month.