IntraCare cyber incident sees patient records accessed

Private healthcare provider IntraCare has confirmed that patient information was accessed during a March cyber incident, adding to a run of data breaches affecting New Zealand organisations and drawing further attention to cyber and privacy risk in the health sector.

IntraCare confirms access to patient information

IntraCare – which provides image-guided medical diagnostics and interventional procedures – said it detected a cyber incident on March 20 and shut down its IT systems once the issue was identified. The company has since confirmed that data relating to patients was accessed in the event. In an update on its website, IntraCare said it has contacted affected individuals directly by email, but it has not publicly disclosed how many patients are involved. According to the provider, a specific external group is suspected of holding personal information taken in the incident. “The investigation to identify who is responsible is an ongoing process, and although a group that we suspect may be in possession of personal information has been identified, under the Privacy Act no details that could identify that group can be provided,” it said, as reported by RNZ.

IntraCare stated that specialist cyber security firms and New Zealand Police are monitoring for any unauthorised use, sale, or publication of the data. “At this time, we do not have evidence of unauthorised use,” the provider said. To support attempts to control the handling of any data obtained, IntraCare has secured a High Court injunction intended to limit circulation or publication of material linked to the incident. The organisation said it has notified the Office of the Privacy Commissioner, other relevant government agencies, and law enforcement. Service delivery was disrupted. In the week after the incident, 28 procedures were either deferred or relocated to other sites. IntraCare said full services resumed on March 30. The provider has advised patients and the wider public to be alert to possible scams or suspicious contact that could arise from the breach. “We recommend caution – not only due to this incident but also as cyber incidents are on the rise,” it said.

Recent health and consumer breaches frame the incident

The IntraCare breach follows earlier cyber incidents at online health record platform ManageMyHealth and medication management system MediMap at the start of 2026. Those cases drew media and public attention because of the type and volume of personal and health information involved. The broader context has prompted some health practitioners to reassess how they share and store information through digital portals. At least one general practice in Wellington has reportedly stopped uploading consultation records to the MyIndici portal, despite there being no indication that MyIndici has been affected by any breach. These developments indicate ongoing shifts in how clinical data is handled and where operational dependencies sit.

Survey data points to widespread cyber exposure

The IntraCare event is consistent with patterns set out in Kordia’s 2026 New Zealand Business Cyber Security Report, which focuses on large organisations. According to the report, 44% of large New Zealand businesses experienced a cyberattack or incident in the past 12 months. Of those incidents, 17% resulted in personal information being accessed or stolen, indicating that privacy issues are a regular feature once systems are compromised.

Nearly one in six incidents involved AI-related vulnerabilities or misuse within the organisation. One in four respondents identified improper AI use as one of their top three challenges to improving cyber security, suggesting that governance of new tools is an emerging operational issue rather than a niche concern. The report found that 61% of organisations that experienced a cyber incident reported serious business disruption, including downtime, supply chain interruption, and other operational impacts. Around one in five affected businesses reported financial extortion demands from cybercriminals.

Social engineering, AI misuse, and technical weaknesses

Kordia’s findings indicate that social engineering remains a central method of compromise, often combined with AI-enabled techniques. Email phishing featured in 45% of reported attacks, with text-based phishing in 14% of cases and voice or video deepfakes in a further 6%. Almost one in five incidents stemmed from weaknesses in websites or other internet-facing applications. The report also notes that almost one in six incidents exploited AI misuse or vulnerabilities in AI-enabled workflows. Shadow AI –  the use of unsanctioned AI tools or the entry of sensitive information into external AI platforms – is identified as a contributing factor in a share of local data breaches, in line with overseas trends. International data cited in the report indicates that healthcare has recorded the highest average breach cost globally for 12 consecutive years, with the finance sector second. Customer data is identified as the most common category of information stolen. These patterns are relevant when modelling large-loss scenarios for health and financial institutions and for cyber portfolios more generally.

Regulatory and insurance considerations

The IntraCare breach and the Kordia survey outcomes point to persistent and varied cyber and privacy exposures across New Zealand sectors, with healthcare one of the more data-intensive environments. On the regulatory side, Kordia reports that 11% of New Zealand businesses affected by a cyber incident faced fines from a regulator. The Office of the Privacy Commissioner has previously reported growth in privacy complaints and has called for modernisation of the Privacy Act 2020, signalling potential change in expectations around notification, governance and accountability.

The incident and the wider data raise several practical review points, including:

• Whether cyber and privacy policy wordings clearly address AI-related exposures, such as shadow AI and AI-enabled social engineering
• The suitability of limits and sublimits for data breach response, extortion, business interruption, and regulatory investigation or penalty costs for healthcare and other high-data sectors
• How cyber cover interacts with medical malpractice, professional indemnity, and directors’ and officers’ policies where patient data is accessed and services are interrupted
• The extent to which underwriters expect insured organisations to manage cyber hygiene, incident response planning, and oversight of third-party platforms and IT service providers.

As New Zealand organisations continue to expand digital services in clinical and commercial settings, the IntraCare case illustrates how a single cyber incident can span operational disruption, privacy obligations, and regulatory engagement, with direct implications for risk transfer arrangements and for how insurance professionals assess and price cyber and data-related exposures.