The Accident Compensation Corporation says it is going to cost money to make the necessary changes to protect client privacy.
As a result of two investigations into privacy breaches, the agency will implement seven recommendations for its policies and practices.
ACC Minister Judith Collins says the huge job of turning around the corporation's systemic failings on privacy breaches will start at the top, with changes to the board.
Ms Collins says the computer system will also be improved to stop information being inadvertently leaked through email.
"They never put in place or planned for correct mechanisms around the security of information," she says.
"What this shows is that steps were not taken, like other agencies have taken - like police, Work & Income and IRD - to protect people's private information. And it should have been, and it will have to be."
Ms Collins says the changes will be made within two years.
Three lawyers' views
Some lawyers say the changes recommended are basic principles any organisation should have to run effectively.
ACC specialist Hazel Armstrong says it's a radical departure from the current culture, as the recommendations are aimed at ACC being more sensitive towards claimants.
Another lawyer, Kathryn Dalziel, says the legislation relating to how ACC deals with personal information has been around for 20 years and she is surprised the corporation is only now being told the basics.
A third lawyer, John Miller, says the problem is that the corporation has access to too much information about people.
Malcolm Crompton, aformer Australian privacy Ccommissioner who co-authored the review of privacy practices at ACC, says the recommendations to remedy privacy breaches could apply to any organisation handling client data.
He says the privacy debacle serves as an early-warning system for other organisations handling data.
Mr Crompton says staff at ACC have a good attitude toward clients in a trying environment, but some staff need to better understand the consequences of their actions.
Claimant's suspicions confirmed
An ACC claimant whose sensitive case information was improperly delivered to her home says the report on the privacy breach has confirmed her suspicions.
The claimant, calling herself just Kelly, says she complained to ACC three months ago after her file was left outside her house by a courier, who should have got her signature to ensure personal delivery.
Kelly says she was told that the botched delivery was the fault of the courier and had happened to other clients.
She says she told ACC the mistake was its responsibility and the agency promised to apologise, but has yet to do so.
A claimant whose sensitive case information was mistakenly sent to another claimant, Bronwyn Pullar, says the improper handling of her details has been detrimental to her mental health.
The claimant, whose name Radio New Zealand cannot reveal, says it's harrowing not being able to trust a government agency that holds her most sensitive information.
She says ACC offered her $250 compensation for the breach, which she rejected.