Pharmacy scrambles to scrub internet of patients' private messages

A Wellington pharmacy at the centre of a data leak says sensitive patient information has now been scrubbed from the internet.

Unichem Petone said it was contacting 29 patients affected by what it described as an error on the website that saw patients' private messages to the pharmacy via its 'contact us' form made public.

Owner of the franchise store, Joseph Tsou told RNZ on Monday he was "very stressed" to learn of the breach and offered his "sincere apologies".

"I know our customers had trust in us and it should have been a very private and confidential message to us. Nothing like this was intended to happen - I'm really trying to make it right."

He said the 'contact us' form typically delivered a patient's message to the pharmacy's email, but a "system error" with the portal had created "trails" of those messages on the internet.

"Basically if you put your name, your details and, 'I would like to talk to you about my meds,' that message is publicly available ... but not anymore.

"We've already rectified it and it's erased from the Google research."

Tsou said the website didn't have a patient database and the breach was limited to messages sent between early June - when he switched website provider - and 22 June.

He said it was important to his patients and the public to know "that this isn't actually a database breach" like the Manage My Health cyberhack.

He said it had been a surprise to be contacted by a Stuff reporter alerting him to the issue on Monday morning.

"As far as we understand .. he was looking to write an article about a certain person, that name popped up and that's when he discovered this."

Stuff reported that it found patients' full names and contact details alongside requests for repeat prescriptions.

Tsou said he didn't know who else might have seen the information "because you have to actively search for that person to find that".

"Obviously, just unfortunate that it was spotted by a reporter ... but I appreciate that. If he didn't actually bring it up to me I'd have no idea. There'd be no way for us to know that there are issues."

Health New Zealand chief information security officer Peter Booth said it was a "localised matter involving a third-party pharmacy website" and that broader health sector systems weren't affected.

He understood Unichem Petone had "taken steps to contain the breach and will be contacting the appropriate authorities".

The Pharmacy Council told RNZ on Monday that to date it had not been advised on the breach beyond media reports and said it was primarily a matter for the privacy commissioner.

It said it would assess whether to take action only if there was information indicating an individual pharmacist had not met the required standards of practice.

A spokesperson for the National Cyber Security Centre said it had been in touch with the pharmacy and in general didn't comment on the details of an investigation or response.

Green Cross Health, which represents Unichem, said it was aware of a reported data breach involving a website operated independently by one of its licensee pharmacies.

Group chief executive Rachael Newfield said the website in question sat outside Green Cross Health's corporate digital environment and was managed separately by the individual licensee.

"We are in contact with the licensee, who has confirmed that they are taking prompt action and engaging with the appropriate authorities."