ACC has apologised for an error that led to information about thousands of claimants being emailed to an unauthorised recipient.
In a statement this afternoon, ACC chief executive Ralph Stewart confirmed that in an email to a client last August, an Auckland staff member had included a spreadsheet containing information about other clients.
About 9000 records were sent relating to about 6000 individuals. Mr Stewart said 137 records relate to individuals with sensitive claims, which deal with sexual abuse or sexual assault injuries.
"Details in the spreadsheet related to ACC claims that had been under review, and included client names, claim numbers and branches involved. There was no personal information in the spreadsheet,'' Mr Stewart said.
The client informed ACC in December that they had information not relevant to them, and ACC had requested the information be returned immediately.
"I can now confirm that the information has been destroyed, and is no longer on the hard drive of the computer of the client who received it,'' he said.
"Clearly, we must review our internal processes to ensure this type of event doesn't occur again. Can I reiterate ACC's concern, and I'd like to apologise to all ACC clients.''
ACC was working to contact each affected claimants to advise them of the breach and confirm that their information was now protected.
The breach was reported by media this morning, but ACC was not able to confirm the situation until this afternoon.
The organisation said the client would not respond to its request for the information to be returned, and until today, the client would not confirm that they had any confidential information.
"These are difficult cases because many people make allegations to us that they are in receipt of confidential information. We investigate when we have specific information. In this case, we wish we had done more,'' ACC said in a statement.
Privacy Commissioner Marie Shroff said she was taking the breach seriously, and that she had asked ACC for a formal response to the incident.
"We've indicated to ACC that this is a 'please explain' situation,'' she said.
"There are various criteria for seriousness, one is the numbers of people involved, one is how sensitive the information is, another is whether it puts people directly at risk ... This one is serious if it's proved to be correct because it involves extremely sensitive personal information, particularly around the sensitive claims area.''
Ms Shroff said she could launch an investigation if she received a complaint about the breach, but could also launch her own inquiry if she felt the situation warranted it.
"I certainly have the power to launch an independent inquiry, at this stage it's too early to make that call,'' she said.
"We've taken the obvious first steps to go to ACC ... once we get their response we'll make a call about how to proceed.''
ACC Minister Judith Collins would not comment on the situation until she received a report from Mr Stewart.