Nearly a million New Zealanders face the risk that their medical data has been accessed illegally on the website of Tu Ora Compass Health, the company said on Saturday.
The website was hacked in August, but investigations also uncovered previous attacks dating from 2016 to March 2019, said the health firm, which collects and analyzes patient information from medical centers.
"While this was illegal and the work of cyber criminals, it was our responsibility to keep people's data safe and we've failed to do that," Martin Hefford, Chief Executive Officer of Tu Ora, said in the statement.
Both Tu Ora and New Zealand's Ministry of Health said they have not been able to determine whether the cyberattacks resulted in any information being accessed.
Tu Ora said it holds health data on people from the greater Wellington, Wairarapa and Manawatu regions dating back to 2002.
The health ministry said in a statement that the data does not include notes made on consultations patients have had with general practitioners, but includes other information.
The information includes enrolment information at medical centers, patients' National Health Index Number, name, date of birth, ethnicity and address, the ministry said.
In some cases, Tu Ora also holds additional clinical information used for health promotion, such as smoking status, and for managing chronic conditions such as diabetes.