The Health Minister pulled no punches when responding to the findings of an inquiry into the major Covid privacy breach, describing the leak as "disgraceful and grubby".
The inquiry into the leak to media of Covid-19 patient details has found outgoing National MP Hamish Walker and Michelle Boag were solely responsible for putting the personal health information of 18 people into the public arena, and it was politically motivated.
Chris Hipkins told reporters it was a "disgraceful and grubby act carried out by two National Party members for political purposes".
They "gave no thought to the stress and harm" that may have caused to the 18 people on the list, to "gain political advantage", he said.
Hipkins thanked the three media outlets for the responsible way they had handled the highly sensitive information, and not making it public after receiving it from Walker.
Michael Heron QC was asked to carry out an investigation into what initially could have been a leak from a public agency, but the following day Walker and Boag outed themselves: "That was a great help actually," he told reporters.
The State Services Commission referred the report to the Privacy Commissioner John Edwards, to look into whether either Walker or Boag should face any consequences for their role.
Edwards said he would take the findings into account while doing a related inquiry into the distribution of Covid-19 health information.
He says as Commissioner he has "no ability" to issue penalties against individuals or organisations and has "no jurisdiction over Members of Parliament".
"It remains open to any of the individuals whose information was subject to the Walker/Boag breaches to make complaints to my office."
Health Ministry response
The Health Ministry has issued a breach of contract notice to the Auckland Rescuer Helicopter Trust. Boag received the patients' information in her role as acting chief executive. She passed it to Walker - who then leaked it to three media outlets.
Director-General of Health Ashley Bloomfield said the notice is mainly to get assurances from the Trust it would abide by the privacy commitments in their contract and that information would be properly protected.
Under a strict "serious threat" exemption, the ministry agreed to share the daily list of patient details with emergency services so they could be aware of possible cases when attending emergencies, but that was at the start of the outbreak when there were cases in the community.
The report found after New Zealand was declared free of community transmission, there was no longer a need to share that information.
It also found such sensitive information should be handled in a much more secure way, as it was not password protected or encrypted.
Bloomfield said the ministry has contacted each of the 18 people to apologise and keep them up to date with what was going on.
And he said a number of changes have been made to better protect the information; the most immediate was to stop sending it to a "group of organisations" that had been receiving it since the start of the pandemic for whom it was no longer necessary.
They had also reviewed that list of organisations and people who would get the information "should it be required again" in the future and to make sure there's a "clear reason" for them to receive it.
Health professionals deal with people's personal health information every day, Bloomfield said. They take that responsibility seriously and he thanked them for the work they do "every day to ensure the privacy of New Zealanders".
Watch the full briefing from Chris Hipkins and Dr Ashley Bloomfield: