Five websites operated by three district health boards have been found to have potential security vulnerabilities, the Ministry of Health says.
The Ministry of Health ordered the scan of 600 websites operated by DHBs and primary health organisations, after it was revealed a website belonging to Tū Ora Compass Health had been hacked.
The Government Communications Security Bureau's National Cyber Security Centre scanned the websites to see if they had the same vulnerabilities as those which enabled the Tū Ora breach.
One of the vulnerabilities was a "false positive" where subsequent analysis showed the vulnerability had already been patched and was secure.
In the other four instances, the vulnerabilities were confirmed and immediate actions were taken by the affected DHBs to mitigate the risk, the ministry said.
The ministry has been advised that none of the websites contained, or provided immediate access to, confidential health information about patients.
Because of that, and because the risks have been mitigated, and to minimise the risk of inadvertently abetting further illegal activity, the ministry is not naming the DHBs or the websites.
As well as the national scan, the ministry has asked DHBs and PHOs to assure themselves, and to confirm it, that their externally-facing systems have appropriate security and privacy controls in place.
All 20 DHBs and all 31 PHOs have provided information to the ministry - either directly, or in the case of some PHOs, through their IT providers.
The ministry will also commission independent external reviews of the externally facing systems at all DHBs and PHOs where external assurance cannot be provided.
The ministry said it will be working with companies with expertise in this area.
The work will focus on testing and remedying vulnerabilities in externally facing information technology systems in key health sector agencies.
Where organisations have separately commissioned external audits or reviews themselves, these are to be independently assessed to ensure they satisfy the ministry's expectations regarding appropriate security and privacy of information.
