The hack successfully targeted systems at Tū Ora Compass Health, which provides data services to Think Hauora and patient services to Cosine, Te Awakairangi Health Network and Ora Toa.
There are about 648,000 people in the areas covered by the groups, although the number of those affected could be up to one million when counting those who had died or moved.
Analysis by the Government Communications Security Bureau's (GCSB) National Cyber Security Centre (NCSC) identified Tu Ora Compass Health had been subject to four instances of malicious cyber activity, involving the exploitation of publically known web server vulnerabilities. Two of those compromises dated back to 2016.
Government Communications Security Bureau Director General Andrew Hampton said one of the 2016 attacks came from "sophisticated cyber actors".
He said the analysis by the cyber security centre of that attack "indicates that patient information was accessible to the cyber actors".
He said there wasn't enough historical information kept on Tu Ora's network to work out what, if anything, was taken.
"We believe it is likely that data was accessed or taken," he said.
He said the two recent examples were "web site defacement" which was the work of those motivated by hacktivism.
Director-General of Health Dr Ashley Bloomfield said the National Cyber Security Centre had been working with health authorities on the hack since it was discovered in early August.
He said a decision had been made to not tell the public while effort went into checking how vulnerable other systems were, and while trying to discover if any data had actually been taken.
He said the review of health-related systems had since found three district health boards vulnerable to cyber attack.
He said the review from mid-September aimed to discover further vulnerabilities and was ongoing.
It would include all health boards and public health organisations.
He said he was unsure the extent to which the Government Communications Security Bureau's Cortex security system was in place across district health boards. He said public health organisations were not covered.
The review identified four hacks: two by cyber "hacktavists" such as Vanda The God, and two others by more "sophisticated" parties.
Cyber attacks tend to be divided between state-sponsored intrusion, criminal enterprises and cyber activists.
Bloomfield did not have further details about the "sophisticated" attack.
The Ministry of Health said the data at risk included who is enrolled at which medical centre, their National Health Index Number, name, date of birth, ethnicity and address. It could also include clinical information for health promotion, such as smoking status, for managing chronic conditions like diabetes, or to deliver services.
Tū Ora Compass Health chief executive Martin Hefford said the August 5 hack was part of a "global cyber incident" which led to an investigation revealing the earlier attacks from 2016 through to March 2019.
"We don't know the motive behind the attacks. We have laid a formal complaint with police and they are investigating.
"We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people."
Hefford said Tū Ora held data on people going back to 2002 from the Wellington, Wairarapa and Manawatu regions.
Anyone enrolled at a medical centre during that time period could be affected, it said.
The information at risk did not include GP notes, which were held by individual medical centres.
"While this was an illegal attack by cyber criminals, it was our responsibility to keep your data safe and I am very sorry we have failed to do that.
"While we have no evidence that patient data was accessed, we encourage you to be vigilant to unusual online requests."
News of the hack prompted hacktavist group Vanda The God, which claimed responsibility for the August defacement, to claim: "Yes I'm Have 1 million datas PHO Zealand."
The NCSC said it was highly unlikely the group had anything to sell.
National Party health spokesman Michael Woodhouse said Minister of Health David Clark had to reassure the public about the security of their information held on government systems.
"This cyber security breach may have seen information about the mental health, sexual health and other private enrolment information of several thousand past and present patients of practices with Tū Ora Compass PHO accessed and in criminal hands. This is an extremely serious and concerning breach."
• An information line has been set up to help those who may be at risk. It is 0800 499 500 or 06 9276930 for those calling from overseas.
