Waikato District Health Board has confirmed patient and staff data has been seized in the ransomware attack that's crippled its systems since last Tuesday.
The Health Minister says once the systems are back online, the Government will launch a review into how they all crashed in the first place.
Eleven days in and there's still no end in sight for the embattled DHB.
"The longer this goes on for, the longer that recovery period will be," Waikato DHB CEO Kevin Snee told a press conference on Thursday.
Its systems have been down since the ransomware attack on May 18.
The Health Minister wants to know exactly how all of them - from car parks to cancer care - were so connected.
"Once the systems are recovered at Waikato, there has to be a review. There will be a review and the question about how the whole system, the whole shebang was brought down, that'll be the question," Andrew Little told The AM Show.
Media, including Newshub, were contacted on the night of May 24 by a group claiming responsibility, and sent what was claimed to be patient and staff data seized in the attack.
Today, the DHB confirmed its fears.
"It does appear to be genuine," says Snee.
"We're now examining those files to identify the information on them, and the individuals affected, and assess the level of risk associated with that."
It hopes to contact them in the coming days and offer support.
"I think it'll really depend on the information that's been leaked, we'll need to tailor the support for the individuals," says Snee.
It could take weeks to work through the DHB's 680 servers to bring everything back to normal. Servers dealing with cancer treatment are being made a priority.
The DHB says this is now a disaster on a national scale. Cancer patients are being sent to Auckland, Tauranga, or Wellington based on need.
But the Cancer Control Agency says sending patients to Australia is a last resort.
"I'm confident we'll be able to manage this within New Zealand. For people undergoing cancer treatment, travelling to Australia at this time is likely to be a very unappealing option for obvious reasons [such as] concerns at the border, concerns around COVID," Cancer Control Agency CEO Diana Sarfati told media.
The Privacy Commissioner says the DHB should be monitoring the dark web in case the data pops up there.
"Clearly, it should never have happened," John Edwards told Newshub.
"The hackers, unfortunately, hold the ability to do great harm, and they've already demonstrated they're prepared to do that."
While he's yet to receive any complaints, Edwards says if a DHB hasn't taken adequate security measures to protect its systems, it could be liable to anyone who suffers harm in a breach.
"It's too early to be thinking about issues of liability. But if there was a failure to take adequate care of health information, then an order of damages could be made by the human rights review tribunal," he said.
And calls for an explanation are starting to pile up as Kiwis wait for the system to come back online.