Situation Report #2
Data Breach
Confidential and not for further distribution
Date: 1 December 2023
Time: 18.00pm
Event Name: Data Breach
Prepared by: S9(2)(a)
Incident Control er/SRO: Sue Gordon
Contact Details: S 9(2)(a)
Background
This Situation Report (SitRep) provides an update on our response to an employee using and commenting
on data publicly, including an email to a wide range of MPs. The employee has also made public a video
with S6(c)
. The employee is alleging that COVID vaccinations have been responsible for a large number
of deaths; the assertions are not correct and have no scientific validity.
We are closely monitoring this situation and will keep in close contact with the Minister’s Office throughout
the weekend. An update wil also be provided in our officials meeting on Monday at 9.00am. We are
running this as an incident management response. There are a number of workstreams currently
underway.
Workstreams
Function
Update
Next steps
Communications As at 1700 Monitoring Social Media and
Update by exception. Provide reactive
news media.
statements as required.
Public: Our proactive media statement,
released on Friday at 2.00pm, is attached
Margie Apa wil be appearing on One
and provides information on our response
News and RNZ Checkpoint today. The
to, and management of, the incident.
media team will field media queries
Margie Apa is the overall spokesperson and
wil be supported by S9(2)(a)
for public over the weekend and wil keep the
health messaging. We wil continue to
Minister’s Office informed.
provide support and liaison to the
We are not intending any further
Minister’s Office as required
internal communications at this stage
Internal: We have met with the employee’s
team to advise them of the situation at a
high level, and offered appropriate support.
Employment
S9(2)(a)
S9(2)(a)
matters
S9(2)(a)
S9(2)(a)
Information
We have sought and expect to receive late
Injunction proceedings underway as at
security
Friday an injunction against use and/or
1700. Indications are most requests
sharing of the information (and returning
are likely to be approved.
all information, materials and equipment)
from the Employment Relations Authority.
This covers the employee and also includes
a wider prohibition on use and sharing of
Once the injunction is granted, we will
the information by other parties (such as
enforce it as appropriate
media outlets). This now provides a basis to
legally enforce the injunction if information
is used or shared.
The Cyber IMT was activated in support of Al employee access blocked.
this event.
There are three workstreams of activity:
Forensic investigator engaged to assist
S6(c)
data and digital investigation.
S6(c)
Privacy
Given peoples’ personal information is
Our protocols for managing and
involved – both the threat to release
responding to privacy breaches,
information and inappropriate use by
including related to information
employee – we have registered this
security, will be followed.
incident as a privacy breach with the Office
of the Privacy Commissioner.
Key stakeholders S6(d)
S6(d)
S6(d)
S6(d)
Debrief from engagements at 4.00pm
Next steps
The next response briefing is planned for 1100 2 December 2023. Te Whatu Ora will provide an update no
later 1500 02 December 2023.
Situation Report #2
Data Breach
Confidential and not for further distribution
Date: 1 December 2023
Time: 18.00pm
Event Name: Data Breach
Prepared by: S9(2)(a)
Incident Control er/SRO: Sue Gordon
Contact Details: S 9(2)(a)
Background
This Situation Report (SitRep) provides an update on our response to an employee taking data without
authorisation and using it to spread misinformation on excess deaths from COVID19 vaccination. This
includes email to a wide range of MPs. The employee has also made public a video available online. The
employee is alleging that COVID vaccinations have been responsible for a large number of deaths; the
assertions are not correct and have no scientific validity. Red is update from Sitrep #1.
Workstreams
Function
Update
Next steps
Communications As at 1700 Monitoring Social Media and
Update by exception. Provide reactive
news media.
statements as required.
Public: Our proactive media statement,
CEO did 3 media interviews - One News,
released on Friday at 2.00pm, is attached
RNZ Checkpoint and Mediawatch. The
and provides information on our response
media team will field media queries over
to, and management of, the incident.
the weekend.
Margie Apa is the overall spokesperson and
wil be supported by S9(2)(a)
for public We are not intending any further internal
health messaging. We wil continue to
communications at this stage
provide support and liaison to the
Minister’s Office as required
Internal: We have met with the employee’s
team to advise them of the situation at a
high level, and offered appropriate support.
Employment
S9(2)(a)
matters
From Thursday 30 November S9(2)(a)
Information
We have sought and expect to receive late
Injunction proceedings endorsed by ERA as
security
Friday an injunction against use and/or
at 1700.
sharing of the information (and returning
all information, materials and equipment)
1
from the Employment Relations Authority.
Forensic investigator engaged to assist
This covers the employee and also includes data and digital investigation on data that
a wider prohibition on use and sharing of
may have been extracted without
the information by other parties (such as
authorisation.
media outlets). This now provides a basis to
legally enforce the injunction if information S6(c)
is used or shared.
The Cyber Incident Management Team is
activated. There are three workstreams of
activity:
S6(c)
Privacy
Given peoples’ personal information is
Our protocols for managing and
involved – both the threat to release
responding to privacy breaches activated.
information and inappropriate use by
employee – we have registered this
incident as a privacy breach with the Office
of the Privacy Commissioner.
Key stakeholders S6(d)
S6(d)
Debrief from engagements at 4.00pm
2
Next steps
The next response briefing is planned for 1100 2 December 2023. Te Whatu Ora will provide an update no
later 1500 02 December 2023.
S6(d)
3
Situation Report #2
Data Breach
Confidential and not for further distribution
Date: 1 December 2023
Time:
18.00pm
Event Name: Data Breach
Prepared by: S9(2)(a)
Incident Controller/SRO: Sue Gordon
Contact Details: S 9(2)(a)
Background
This Situation Report (SitRep) provides an update on our response to an employee taking data without
authorisation and using it to spread misinformation on excess deaths from COVID19 vaccination. This
includes email to a wide range of MPs. The employee has also made public a video available online. The
employee is alleging that COVID vaccinations have been responsible for a large number of deaths; the
assertions are not correct and have no scientific validity. Red is update from Sitrep #1.
Workstreams
Function
Update
Next steps
Communications
As at 1700 Monitoring social media and
Update by exception. Provide reactive
news media.
statements as required.
Public: Our proactive media statement,
CEO did 3 media interviews - One News,
released on Friday at 2.00pm, is attached
RNZ Checkpoint and Mediawatch. The
and provides information on our response
media team will field media queries over
to, and management of, the incident.
the weekend.
Margie Apa is the overall spokesperson and
will be supported by S9(2)(a)
for public
We are not intending any further internal
health messaging. We will continue to
communications at this stage
provide support and liaison to the
Minister’s Office as required
Internal: We have met with the employee’s
team to advise them of the situation at a
high level, and offered appropriate support.
Employment
S9(2)(a)
matters
S9(2)(a)
Information
We have sought and expect to receive late
Injunction proceedings endorsed by ERA as
security
Friday an injunction against use and/or
at 1700.
sharing of the information (and returning
all information, materials and equipment)
1
from the Employment Relations Authority.
Forensic investigator engaged to assist
This covers the employee and also includes
data and digital investigation on data that
a wider prohibition on use and sharing of
may have been extracted without
the information by other parties (such as
authorisation.
media outlets). This now provides a basis to
legally enforce the injunction if information S6(c)
is used or shared.
The Cyber Incident Management Team is
activated. There are three workstreams of
activity:
S6(c)
Privacy
Given peoples’ personal information is
Our protocols for managing and
involved – both the threat to release
responding to privacy breaches activated.
information and inappropriate use by
employee – we have registered this
incident as a privacy breach with the Office
of the Privacy Commissioner.
Key stakeholders S6(d)
S6(d)
Debrief from engagements at 4.00pm
2
Next steps
The next response briefing is planned for 1100 2 December 2023. Te Whatu Ora will provide an update no
later 1500 02 December 2023.
S6(d)
3
Situation Report #3
Data Breach
Confidential and not for further distribution
Date: 02 December 2023
Time:
1700hrs
Event Name: Data Breach
Approved by: S9(2)(a)
Incident Controller/SRO: Sue Gordon
Contact Details: S 9(2)(a)
Background
This Situation Report (SitRep) provides an update on the health system response to an employee (referred
to as POI) taking data without authorisation and using it to spread misinformation on excess deaths from
COVID19 vaccination. This includes email to a wide range of MPs. The POI has also made public a video
available online. The POI is alleging that COVID vaccinations have been responsible for many deaths; the
assertions are not correct and have no scientific validity. Red is update from Sitrep #1.
Workstreams
Function
Update
Next steps
Communications
A proactive media statement, released on 01
News and social media continue to
December at 1400hrs, provided information on Te
be monitored for any emerging
Whatu Ora’s response to, and management of, the
issues or heightened interest.
incident.
Ongoing development of a
Margie Apa is the organisational spokesperson and
proactive media release over the
will be supported by Andrew Old for public health
next 24hrs (as situation develops).
messaging.
Support and liaison to the
On 01 December 2023, Margie Apa completed 3
Minister’s Office will continue to
media interviews. The media team will field media
be provided as required.
queries over the weekend.
Employment
S9(2)(a)
S9(2)(a)
matters
S9(2)(a)
S6(c)
S6(c)
Injunctions to prohibit use or sharing of
S9(2)(a)
information, return information and equipment and
to delete information were served by email as of 01
1
December evening. It covers the POI, S9(2)(a) and
S9(2)(a)
any other parties with access to or involved in
accessing and releasing data.
S6(c)
A criminal complaint has been
lodged with Police. S6(c)
As of 02 December, People and Capability are
liaising with Simpson and Grierson to ensure all
legal options are explored.
S6(c)
Staff in POI’s team briefed and S9(2)(a)
Forensic investigator engaged to
Information
Injunctions received cover the POI and also includes assist data and digital investigation
security
a wider prohibition on use and sharing of the
on data that may have been
information by other parties (such as media
extracted without authorisation.
outlets). This now provides a basis to legally enforce
the injunction if information is used or shared.
S6(c)
The Cyber Incident Management Team is activated.
There are three workstreams of activity:
S6(c)
S6(c)
S6(c)
S6(c)
S6(c)
2
S6(c)
S6(c)
NSCS Incident response team comfortable to be
updated.
-
Will be meeting at 1200hrs to form plan for
weekend (02 –03 December).
Privacy
Given peoples’ personal information is involved –
Our protocols for managing and
both the threat to release information and
responding to privacy breaches
inappropriate use by POI – this incident has been
activated.
registered as a privacy breach with the Office of the Confirmation on the scale of the
Privacy Commissioner.
data breach ongoing.
S9(2)(ba)(i), 9(2)(ba)(ii)
S9(2)(h)
- S9(2)(h)
Remains risk of data re-emerging
internationally given it was able to
be downloaded
Key stakeholders S6(d)
S6(d)
3
S6(d)
S6(d)
4
S6(d)
5
Situation Report #4
Data Breach
Confidential and not for further distribution
Date: 03 December 2023
Time: 1330hrs
Event Name: Data Breach
Approved by: S9(2)(a)
Incident Control er/SRO: Sue Gordon
Contact Details: S 9(2)(a)
Background
This Situation Report (SitRep) provides an update on the health system response to an employee (referred
to as POI) taking data without authorisation and using it to spread misinformation on excess deaths from
COVID19 vaccination. This includes email to a wide range of MPs. The POI has also made public a video
available online. The POI is alleging that COVID vaccinations have been responsible for many deaths; the
assertions are not correct and have no scientific validity. Red is update from Sitrep #1.
Workstreams
Function
Update
Next steps
Communications ***Press release update to come***, this includes
News and social media continue to
an update on where Te Whatu Ora are on their
be monitored for any emerging
response to the POIs actions, as well as clear
issues or heightened interest. As of
reassurance regarding the use of vaccines.
1200hrs 03 December, there has
been no noticeable increase in
anti-vaccination rhetoric linked to
this breach.
Support and liaison to the
Minister’s Office will continue to
be provided as required.
Employment
The Person of Interest
S9(2)(h)
matters
• S9(2)(a)
• All external access to systems and
processes has been removed. S9(2)(a)
S9(2)(h)
• Physical and emailed injunction have been
served (as of 02 December 2023).
• S6(c)
S6(c)
1
S6(c)
S6(c)
• As of 02 December, People and Capability
are liaising with Simpson and Grierson to
ensure all legal options are explored.
• S6(c)
S9(2)(a)
Wider Data Sharing
• Injunctions to prohibit use or sharing of
information, return information and
equipment and to delete information were
served by email as of 01 December evening.
It covers the POI, S6(c)
, and any other
parties with access to or involved in
accessing and releasing data.
• S6(c)
Information
The Cyber Incident Management Team is activated. Forensic investigator engaged to
security
There are three workstreams of activity:
assist data and digital investigation
S6(c)
on data that may have been
extracted without authorisation.
S6(c)
S6(c)
S6(c)
2
S6(c)
S6(c)
Privacy
S6(c)
Confirmation on the scale of the
data breach ongoing.
S9(2)(h)
- S9(2)(h)
Remains risk of data re-emerging
internationally given it was able to
S9(2)(ba)(i), 9(2)(ba)(ii)
be downloaded
Although papers have been served
via email, as of 1200hrs 03
December, S6(c), S9(2)(a)
Protocols for managing and responding to privacy
breaches activated.
3
Key stakeholders S6(d)
S6(d)
S6(c)
4
S6(d)
5
Situation Report #4
Data Breach
Confidential and not for further distribution
Date: 03 December 2023
Time:
1700hrs
Event Name: Data Breach
Approved by: S9(2)(a)
Incident Controller/SRO: Sue Gordon
Contact Details: S9(2)(a)
Background
This Situation Report (SitRep) provides an update on the health system response to an employee (referred
to as POI) taking data without authorisation and using it to spread misinformation on excess deaths from
COVID19 vaccination. This includes email to a wide range of MPs. The POI has also made public a video
available online. The POI is alleging that COVID vaccinations have been responsible for many deaths; the
assertions are not correct and have no scientific validity. Red is update from Sitrep #1.
Workstreams
Function
Update
Next steps
Communications
Proactive press release PM 03 December 24, this
News and social media continue to
includes an update on where Te Whatu Ora are on
be monitored for any emerging
their response to the POIs actions, as well as clear
issues or heightened interest. As of
reassurance regarding the use of vaccines.
1200hrs 03 December, there has
been no noticeable increase in
anti-vaccination rhetoric linked to
this breach.
Support and liaison to the
Minister’s Office will continue to
be provided as required.
Notably:
S6(c)
S9(2)(h)
Employment
The Person of Interest
matters
• S9(2)(a), S6(c)
1
S9(2)(a), S6(c)
Take-down orders will continue to
• S9(2)(a)
be issued to any sites that publish
the data or information taken from
• All external access to systems and
HNZ servers.
processes has been removed. S9(2)(a)
S6(c)
• Physical and emailed injunction have been
served (as of 02 December 2023).
• S6(c)
• As of 02 December, People and Capability
are liaising with Simpson and Grierson to
ensure all legal options are explored.
• S6(c)
S9(2)(a)
Wider Data Sharing
• Injunctions to prohibit use or sharing of
information, return information and
equipment and to delete information were
served by email as of 01 December evening.
It covers the POI, S6(c)
, and any other
parties with access to or involved in
accessing and releasing data.
• S6(c)
The Cyber Incident Management Team is activated. Forensic investigator engaged to
Information
There are three workstreams of activity:
assist data and digital investigation
security
2
S6(c)
on data that may have been
extracted without authorisation.
S6(c)
S6(c)
S6(c)
S6(c)
S6(c)
Privacy
3
S6(c)
- S9(2)(h)
S9(2)(ba)(i)
Remains risk of data re-emerging
internationally given it was able to
be downloaded.
Although papers have been served
via email, as of 1200hrs 03
Protocols for managing and responding to privacy
December, S6(c), S9(2)(a)
breaches activated.
Key stakeholders S6(d)
S6(d)
S6(c)
4
S6(d)
5
Situation Report #5
Data Breach
Confidential and not for further distribution
Date: 04 December 2023
Time:
1700hrs
Event Name: Data Breach
Approved by: S9(2)(a)
Incident Controller/SRO: S9(2)(a)
Contact Details: S9(2)(a)
Background
This Situation Report (SitRep) provides an update on the health system response to an employee (referred
to as POI) taking data without authorisation and using it to spread misinformation on excess deaths from
COVID19 vaccination. This includes email to a wide range of MPs. The POI has also made public a video
available online. The POI is alleging that COVID vaccinations have been responsible for many deaths; the
assertions are not correct and have no scientific validity. Red is update from Sitrep #1.
Workstreams
Function
Update
Next steps
Communications Te Whatu Ora Chief Executive is due to
Communications team continue to
complete further interviews 04 December. The
monitor the POIs court appearance
Ministers office is aware.
today, as well as any resulting
discourse surrounding these proceeds.
Employment
The Person of Interest
S9(2)(a), S6(c)
matters
S6(c), S9(2)(a)
S6(c)
Wider Data Sharing
• Injunctions to prohibit use or sharing of
information by any other parties with
S9(2)(a)
access to or involved in accessing and
releasing data continue to be utilised.
• A decision has been made not to serve
injunction to conspiracy groups sharing
this information online, as there were
concerns this would encourage the
spread of this inaccurate narrative.
S9(2)(a), S6(c)
1
S6(d)
S6(d)
S6(d)
S6(c)
3
S6(c)
This report was current at the time of distribution.
IN-CONFIDENCE: This information can only be disseminated or duplicated with the express permission of Te Whatu Ora Health
New Zealand. This document contains confidential information, and must be handled, stored, and transferred appropriately,
including not making it available outside of the primary recipient list.
Page 5 of 7
