Download original attachment
(PDF file)
This is an HTML version of an attachment to the Official Information request 'Request for Te Whatu Ora internal administrative memos, IT security alerts, and executive directives relating to the receipt and handling of Barry Young's email on November 30, 2023'.


 
7 May 2026 
 
 
 
Robert Perham 
[FYI request #34032 email] 
 
 
Tēnā koe Robert 
Your request for official information, reference: HNZ00201589 – Part Two 
Thank you for your email on 11 March 2026, asking Health New Zealand | Te Whatu Ora for the 
following under the Official Information Act 1982 (the OIA): 
Under the Official Information Act 1982, I am requesting information regarding the internal 
administrative triage, IT security escalation, and executive communications surrounding an 
email sent by former employee Barry Young to the Te Whatu Ora Executive Leadership 
Team on November 30, 2023. 
 
It is a matter of public record that Chief Executive Margie Apa replied to Mr. Young's 
November 30 email, signing off with "warmest regards." However, shortly thereafter, a 
police complaint was filed by the organization. To understand the exact timeline of how Mr. 
Young's internal disclosure was handled administratively and the precise moment it was 
escalated to a security and criminal matter, I request the following official information 
generated between November 30, 2023, and December 4, 2023: 
 
1. Any internal emails, Microsoft Teams messages, or memos between members of the 
Executive Leadership Team (including Margie Apa's office) and the Te Whatu Ora 
IT/Cybersecurity teams discussing the receipt, content, or implications of Barry Young's 
November 30 email. 
 
2. Any incident reports, IT security alerts, or internal risk assessments generated in direct 
response to the receipt of Mr. Young's November 30 email. 
 
3. Any written directives, meeting minutes, or communications detailing the internal 
decision-making process to revoke Mr. Young's system access and file a formal complaint 
with the New Zealand Police. 
 
To be explicitly clear, I am not requesting the raw data Mr. Young allegedly possessed, nor 
am I asking for the personal or medical details of any vaccinators or patients. I am strictly 
asking for the internal operational and administrative communications regarding how his 
November 30 communication was handled by Te Whatu Ora management. 
Response 
In late 2023, a former Health NZ employee allegedly released sensitive COVID-19 vaccination 
data, some of which was then posted on overseas websites. Health NZ takes data security 
seriously and is deeply disappointed by this gross breach of trust. Protecting data and ensuring the 
privacy of individuals is incredibly important to us. As soon as we became aware, we immediately 
started an internal investigation to understand the impact of the alleged breach and took urgent 
steps to have the information removed from websites. Alongside our operational response we are 
looking at our processes for data security and wil  make any changes that are needed to further 
increase the security of information. 

 
 
On 9 April 2026, we responded to Question One and Question Three of your request. We also 
advised that pursuant to section 15(1)(a) of the OIA, a decision had been made on Question Two 
of your request however, it would take us some time to prepare the information for release.  
 
We have now completed this part of your request and some information has been withheld under 
the following sections of the OIA: 
 
•  9(2)(a), to protect the privacy of individuals. 
•  9(2)(ba)(i), as it is subject to an obligation of confidence, and if released, would likely 
prejudice the supply of similar information in the future. 
•  9(2)(ba)(i ), to protect information which is subject to an obligation of confidence where 
making it available would be likely otherwise to damage the public interest. 
•  9(2)(g)(ii), to maintain the effective conduct of public affairs through the protection of 
Ministers, members of organisations, officers, and employees from improper pressure 
or harassment. 
•  9(2)(h), on the basis that withholding that information is necessary to maintain legal 
professional privilege.  
•  6(c), where making the information available would be likely to prejudice the 
maintenance of the law, including the prevention, investigation and detection of 
offences.  
•  6(d), on the basis that making available that information would likely endanger the 
safety of any person.  
 
Information that has been withheld under section 6(c) is due to the person involved in the data 
breach being charged with a criminal offence and as there is an ongoing trial. Some other 
information has been withheld under section 6(c) of the OIA because it is the subject of non-
publication orders made by the Employment Relations Authority.  
 
In cases where names and contact details have been redacted under section 9(2)(a) of the OIA for 
privacy, 9(2)(g)(i ) of the OIA wil  also apply in order to protect individuals from improper pressure 
or harassment.  
 
I have considered the public interest in releasing the information. However, I do not consider that 
this public interest outweighs the harm identified above. 
 
How to get in touch 
If you have any questions, you can contact us at [email address]. 
If you are not happy with this response, you have the right to make a complaint to the 
Ombudsman. Information about how to do this is available at www.ombudsman.parliament.nz or 
by phoning 0800 802 602.  
 
 
 
 
 
 
 
 


 
As this information may be of interest to other members of the public, Health NZ may proactively 
release a copy of this response on our website. Al  requester data, including your name and 
contact details, wil  be removed prior to release.  
Nāku iti noa, nā  
 
 
  
 
 
Sasha Wood 
Head of Government Services 
Health New Zealand |Te Whatu Ora