A Ministry of Health email blunder has spilled private medical information of 24,000 Kiwis.
Officials are investigating how a spreadsheet of National Health Index (NHI) numbers, containing the birth and death dates of 24,092 people, was emailed to around 950 pharmacists yesterday morning. The email was supposed to be sent internally.
Security on NHI numbers is extremely high, with access restricted to health professionals and agencies governed by the Health Information Privacy Code.
Access to the data, which also includes gender and location details of an individual, is comprehensively logged and subject to a signed agreement, with the system recording details each time an NHI is looked at - including which NHI, who looked at it, when and what they did with it. An audit programme monitors whether access was justified and whether it was used for legitimate purposes.
In a statement to the New Zealand Herald, information director Graeme Osborne said the Ministry "understands that the public rightly expects that any health information, even information which has been protected, should be held secure."
The Ministry has apologised for the mistake, saying any unintended release of information - even if it is coded and to a group of health professionals - is not acceptable.
"The information related to 24,092 individuals who had passed away in the six months from January this year," a spokesman said.
"As soon as the error was made, a second email was sent asking the recipients to delete it.
"The Ministry already has precautions in place to prevent mistakes like this from occurring and the first step in its investigation will be to check why those precautions failed in this instance."
Labour's health spokeswoman, Annette King, said the ministry's privacy breach is "inexcusable".
"Patients must be able to trust the information they give to doctors will only be accessible to staff involved in their treatment.
"This data was particularly sensitive. Its release would be hugely distressing to relatives and loved ones.
"Ministry staff know confidentiality is paramount when dealing with clients' data and while this particular breach involved coded data, it follows a number of other high profile leaks of information from other Government departments, including ACC, WINZ and IRD.
"Any breach of this magnitude is unacceptable, full stop.
"The Ministry must now not only assure New Zealanders its systems are robust, but if any patients' released details make them identifiable, families should be contacted and offered an apology."
A number of Government agencies have admitted privacy breaches over the last three years.
In 2013, a major breach by the Earthquake Commission saw details of more than 80,000 claimants sent to the wrong email address.
The EQC also sent a claimant an email with an attached spreadsheet with 2200 names, stopped cheque details and claim amounts worth about $23 million.
Also in 2013, the Ministry of Education owned up to a staff member attached the wrong letter to an email, Immigration New Zealand sent two emails with client email addresses to more than 200 advisers, lawyers and individuals, the Ministry for the Environment sent about 150 people each other's private email address and a Hawkes Bay District Health Board worker mistakenly released a patient's confidential medical file to the media.