Minister for ACC Judith Collins has criticised her agency's "poorly handled" response to a massive breach of claimants' information.
ACC chief executive Ralph Stewart yesterday confirmed an Auckland worker had accidentally attached a spreadsheet containing thousands of private records in an email to another client.
About 9000 records were sent relating to about 6000 people, including 137 who had suffered injuries from sexual abuse or assault.
The client told ACC in December about the information breach.
However, Ms Collins was only informed about the breach through media reports yesterday.
She admitted the response had been "poorly handled" in an interview on Radio Live this morning.
"It has been poorly handled and I think the chief executive has confirmed that... They need to improve their work in relation to privacy and they need to do that straight away."
When asked whether "heads will roll" over the incident, Ms Collins said the agency would go through employment processes.
She said the staff member who accidentally leaked the details was "extraordinarily distraught".
"It's a bit difficult to have people's heads rolling when the chief executive's pretty new, in there a couple of months.
"I understand there are obviously employment processes that they have to go through.
"But they're also saying to me there's no way the staff member meant to do anything wrong."
Ms Collins criticised the client who received the confidential records.
The client allegedly used the information as leverage to make demands of ACC, Ms Collins said.
"I'm certainly extremely disappointed.
"But I also have to look at the poor people who thought that their details might be published or were available. All of those claimants... I feel incredibly sorry for them and it beggars belief that someone who had confidential details didn't give it straight back to ACC."
Privacy Commissioner Marie Shroff earlier said she was investigating the breach.
"We've indicated to ACC that this is a 'please explain' situation,'' she said.
"There are various criteria for seriousness, one is the numbers of people involved, one is how sensitive the information is, another is whether it puts people directly at risk ... This one is serious if it's proved to be correct because it involves extremely sensitive personal information, particularly around the sensitive claims area.''
Ms Shroff said she could launch an investigation if she received a complaint about the breach, but could also launch her own inquiry if she felt the situation warranted it.
"We've taken the obvious first steps to go to ACC ... once we get their response we'll make a call about how to proceed.''