A major New Zealand GP network is scrambling to work out how hackers managed to infiltrate its IT system and gain access to the personal data of hundreds of thousands of patients.
Pinnacle Health said people's private health notes are not at risk of exposure, but cyber experts said enough information could have been gained to carry out identity fraud.
One patient who Newshub spoke to is worried her personal health details have been leaked.
"Well, I mean, it's my personal information, that's what's going to come from that. Who's got these details now? It's not just mine, it's my daughter's. My mum is also in the same situation," she said.
There could be as many as 450,000 Pinnacle Health patients just like her after the health provider confirmed on Tuesday it faced a cyber attack on Wednesday last week.
"We are now aware that malicious actors have breached our system and have accessed information which could include commercial and personal details," said Justin Butcher, CEO of Pinnacle Incorporated Pinnacle Midlands Health Network.
Another patient Newshub spoke to received an urgent notice from her medical centre the day after the attack saying their computer systems were completely down.
Pinnacle Health said as soon as it became aware of the breach, the affected IT system was taken offline and contained, and personal medical notes are not at risk.
"However, we do have some personal information such as names, addresses and NHI numbers," Butcher said.
"It's enough information for an identity theft," said Alastair Miller, Aura Information Security principal advisory consultant.
Miller said even if the system was immediately taken offline, that doesn't mean hackers have been booted out.
"Attackers often get into a network and wander around very quietly for a while, get under a number of different systems, so you may find the obvious first step, but unfortunately they may be under a number of systems and that's probably what they're looking at right now," Miller said.
The hack is a concern to Royal College of GPs president Dr Bryan Betty, but he's pleased Pinnacle is being transparent.
"It's not personal GP records and I think that's very, very important to reassure, and again, this has been investigated fully with the police and with Pinnacle."
And while the health provider won't say if the hackers have demanded a ransom, Miller said it's easy to hazard a guess.
"It always comes back to money."
Pinnacle Health said it's still in a very early stage of the response and it will keep working to figure out just how the breach happened.