Vote2020

Disgraced National MP Hamish Walker sent private Covid-19 details because his judgment was impaired after being called racist, an inquiry has found.

And former National party president Michelle Boag sent the highly sensitive information to Walker in an attempt to help clear his name.

The powerful inquiry by the State Services Commission was critical of the pair and found the Ministry of Health could have kept patient details more secure.

Michelle Boag, former National Party president, has admitted she sent private Covid-19 patient details to two National MPs. Photo / Brett Phibbs
Michelle Boag, former National Party president, has admitted she sent private Covid-19 patient details to two National MPs. Photo / Brett Phibbs

Deputy Services Commissioner State Helene Quilter was very critical of Boag and Walker:

Advertisement

"Ms Boag and Mr Walker were each responsible for the unauthorised disclosure of this sensitive information. Their motivations were political. Their actions were not justified or reasonable. Each acknowledged their error publicly and co-operated with this inquiry."

The inquiry found the "leak was committed by motivated individuals knowing they had no entitlement to disclose the information they did. It is doubtful whether any policy (or, potentially, security system) could have completely prevented that".

The investigation, headed by former solicitor general Michael Heron, QC, was tasked with getting to the bottom of the leak and investigate whether patient data could have been kept more secure.

Heron did not forensically examine Boag, Walker or Woodhouse's email addresses or computers and took them at their word.

He said it was "a fair comment" that these people shouldn't be taken at their word given their actions, but said he had no reason not to believe them

Heron found Boag was sent the patient details through her role of acting chief executive of Auckland Rescue Helicopter Trust. She resigned after the scandal.

The patient information was sent to Boag by the Health Ministry and she would forward it to two senior clinical leads at the ARHT when the virus was in the community.

During the peak of the crisis, emergency services were sent the details of active cases.

Advertisement

Boag then sent Walker the information after he'd been accused of being racist for saying the active cases came from "India, Pakistan and Korea".

She believed the information would help clear his name.

Walker then forwarded the information to media.

"The three countries are places in the news as having significant outbreaks of Covid-19. I was aware that at least many of the people would be New Zealand citizens or permanent residents and it was not my intention to highlight the race of the people, but simply their country of departure."

What Walker told the inquiry

Walker said he found accusations of racism "very upsetting" and impaired his judgment.

Walker told the inquiry: "I accept that my judgment was impaired due to the pressure and distress of being labelled a racist.

Advertisement

"I accept one of the purposes of sending this information on to media people was to respond, while under distress, to accusations of racism. My intention was to show that my initial press release was based on fact and was not racially motivated. However, I accept that the spreadsheet sent on did not prove that point as it gave the names of people and not the places that [they] had departed from, to New Zealand.

"I did not have an additional purpose of showing the information was not being properly protected by the Government."

Walker said he was also concerned at how freely the patient information was available and was sent around without password protection and he wanted to hold the Government to account.

Michael Heron, former Solicitor-General, headed the State Services inquiry into the leak of Covid-19 patient details. Photo / Mark Mitchell
Michael Heron, former Solicitor-General, headed the State Services inquiry into the leak of Covid-19 patient details. Photo / Mark Mitchell

"I saw this as a major Government flaw that I could expose at the time."

Heron said it was not within his jurisdiction to find people liable so has passed his findings on.

The findings of the inquiry have been passed to the Privacy Commissioner as they sit outside the jurisdiction of the State Services Commission.

Advertisement

The investigation found the security around the security of personal information within the Ministry of Health "could have been tighter and the agency should have reviewed this earlier".

Director general of health Ashley Bloomfield has given the State Services Commission assurances his ministry is fixing the areas identified in the report for improvement.

Quilter said who the Ministry of Health shared the information with should have been reviewed.

"The Ministry's policy should have been reviewed when the context shifted and it was not," said Quilter.

"I am not going to criticise the Ministry of Health beyond that when lives have been saved as a result of their actions on the broader Covid-19 front.

"The information should not have been placed in the public arena. The Ministry of Health did not place it there."

Advertisement

No password on patient info

Heron said any system is vulnerable to people who seek to misuse the information.

Quilter said when they started the investigation, they believed it could have come from the public service but it was important to continue to establish whether any other mistakes were made.

The Ministry of Health stopped disseminating patient information on July 2 and the inquiry found there appeared to be "no significant risk of further disclosure".

Heron said the fact the information was being sent without a password "wasn't optimal".

"It would have been optimal to protect it further."

"But nothing is foolproof," he said.

Advertisement

The inquiry found: "Ultimately, any system is vulnerable to the deliberate actions of persons who seek to misuse confidential personal information".

Heron said he took Boag at her word when she said she hadn't shared the data with anyone other than Boag and Walker.

Walker and Boag were candid and credible in their interviews, said Heron.

Boag sent National's Michael Woodhouse similar information and ideally, the senior MP should have told Boag not to disseminate this information, Heron said.

Heron said the motivation for Boag sending patient information to Woodhouse was the same - political.

Quilter said she hasn't investigated what systems could be employed to make the information more secure - that would be a matter for the Health Ministry, she said.

Advertisement

A copy of the report has been shared with National leader Judith Collins and the Leader of the House Chris Hipkins.

"We regret the actions of our previous acting CEO": ARHT

Auckland Rescue Helicopter Trust (ARHT) Chairman Simon Tompkins said he accepted the findings of the report.

"We regret the actions of our previous acting CEO and our thoughts are with those people whose privacy was breached," he said in a statement.

"The Trust has conducted an internal review and have engaged with the Ministry of Health and with the Office of the Privacy Commissioner to ensure our privacy policies and procedures are robust and completely fit for purpose."

Patients' welfare remained the number one priority of the ARHT and the Trust took its responsibility of protecting patients' privacy very seriously, Tompkins said.