Te Whatu Ora believes someone with expert technical knowledge could identify a small number of individuals whose data was leaked earlier this month, allegedly by a staff member.
In a statement, the health agency chief executive Margie Apa said identifying the individuals would take considerable effort.
The Covid vaccination data set previously posted on overseas websites contained information which included vaccination information and dates, though the contents were altered to anonymise individuals.
"We can also confirm that the investigation has found the employee inappropriately sent some other information outside the organisation," Apa said.
"There is no evidence at this time this information was shared publicly, or with other people, however we are working with experts to provide us with further assurance this information was not shared more widely."
Apa said Te Whatu Ora "took action" today in relation to claims on social media related to the data breach last month.
She said the threat in the social media post to release private health information accessed from Te Whatu Ora breaches current orders from the Employment Relations Authority.
"As such we have responded accordingly."
Once the investigation is complete, Te Whatu Ora said it would be in contact those "significantly impacted" by the breach.
Te Whatu Ora employee Barry Young, 56, has pleaded not guilty to a charge of accessing a computer system for dishonest purposes.
He was arrested two weeks ago, after the health ministry laid a complaint with police. The ministry alleged there was an "unauthorised disclosure and misuse of data by one of its staff members".
At that time, Te Whatu Ora said the data appeared to be anonymised.
SHARE ME