A whistleblower has been referred to police over claims she threatened to go public about being mistakenly sent confidential client details unless ACC promised to pay her a benefit for two years.
In a report to ACC Minister Judith Collins, ACC said the woman tried to negotiate a guaranteed benefit payment after a spreadsheet providing private details of thousands of claimants – some of them well known people – was mistakenly emailed to her by an ACC manager.
"She made threats that if her demands were not met she would not return the information and she would inform the media of the alleged privacy issue," ACC said.
The woman, a client of ACC, said ACC did not speak to her before releasing its report yesterday.
"The fact that they have not spoken to me or the other people at the meeting [in December with ACC managers] has affected the accuracy of the report of that meeting and the conclusions the report has reached.
"The assertions made about the meeting are wrong."
The privacy breach was revealed by The Dominion Post on Tuesday and sparked inquiries by ACC and the privacy commissioner. It has been described as one of the worst privacy breaches in New Zealand history.
In its report to Ms Collins, released late yesterday, ACC said a senior manager mistakenly emailed the woman a spreadsheet relating to the review status of about 6752 clients, including 131 people whose cases were with the sensitive claims unit.
It said the file did not include any information on personal claim histories, but included names and other details. The spreadsheet was emailed in error in August, but ACC was not aware of the breach till December 1, when two senior managers met the woman.
The woman was warned that she must return the information to ACC and destroy or delete any copies. That was when she threatened to go public over the breach, ACC said.
In its report, ACC acknowledged that it should have acted then.
Instead, it did nothing except write to the woman requesting the return of the information.
"Given the serious nature of the alleged breach and the presence of a threat the details should have been escalated to senior ACC management at that time and the police advised."
There was a sweep made of email records, but because the woman had given them the wrong name of the person who sent her the spreadsheet no information was found to support her claim of a massive privacy breach.
ACC confirmed that it had referred the woman to the police on Tuesday after it was contacted by The Dominion Post.
It said it had received assurances from the woman's lawyer that the information had been destroyed and an independent third party had removed all related computer records from the client's computer.
ACC said it had contacted 2611 of the 6752 affected clients by Thursday morning and was following up phone calls with a letter apologising for the breach.
It had also advised staff that they should only have one piece of work on their computer desktop or screen at any one time.
Ms Collins said she was pleased ACC had acknowledged its errors.
She expected them to implement changes to ensure the privacy of information.