Ministry of Health Data Breach (2015)

A Ministry of Health email blunder has spilled private medical information of 24,000 Kiwis. Officials are investigating how a spreadsheet of National Health Index (NHI) numbers, containing the birth and death dates of 24,092 people, was emailed to around 950 pharmacists yesterday morning. The email was supposed to be sent internally. Security on NHI numbers is extremely high, with access restricted to health professionals and agencies governed by the Health Information Privacy Code. Access to the data, which also includes gender and location details of an individual, is comprehensively logged and subject to a signed agreement, with the system recording details each time an NHI is looked at - including which NHI, who looked at it, when and what they did with it. An audit programme monitors whether access was justified and whether it was used for legitimate purposes. In a statement to the New Zealand Herald, information director Graeme Osborne said the Ministry "understands that the public rightly expects that any health information, even information which has been protected, should be held secure." The Ministry has apologised for the mistake, saying any unintended release of information - even if it is coded and to a group of health professionals - is not acceptable. "The information related to 24,092 individuals who had passed away in the six months from January this year," a spokesman said. "As soon as the error was made, a second email was sent asking the recipients to delete it. "The Ministry already has precautions in place to prevent mistakes like this from occurring and the first step in its investigation will be to check why those precautions failed in this instance." Labour's health spokeswoman, Annette King, said the ministry's privacy breach is "inexcusable". "Patients must be able to trust the information they give to doctors will only be accessible to staff involved in their treatment. "This data was particularly sensitive. Its release would be hugely distressing to relatives and loved ones. "Ministry staff know confidentiality is paramount when dealing with clients' data and while this particular breach involved coded data, it follows a number of other high profile leaks of information from other Government departments, including ACC, WINZ and IRD. "Any breach of this magnitude is unacceptable, full stop. "The Ministry must now not only assure New Zealanders its systems are robust, but if any patients' released details make them identifiable, families should be contacted and offered an apology."