The Waikato DHB says patients who have had private information published on the dark web earlier this week have yet to be spoken to.
Information, including bank details, drivers' licences, passports, home addresses, medical reports and other private records were published, the second release by hackers since the ransomware attack in May.
The DHB said potentially hundreds of patients may be affected.
Its chief executive Dr Kevin Snee said patient data needed to first be checked before patients could be contacted.
''You have got to assess that data for the impact it is going to have on the individuals and some of it relates to clinical information, so have to involve clinicians in assessing that data when it relates to patients,'' Snee said.
He hoped patients would be contacted within the next week, but their well-being was paramount.
''We are obliged to assess whether in sharing that information with the individual that you cause more harm and that is part of the process, particularly for patients.''
The intention was to give the information to the patients or their caregivers if mental health issues were involved, Snee said.
All 165 staff and a couple of hundred patients whose private information was leaked in the first dump of data had been contacted.
Any more data dumps onto the dark web would be a major concern, Snee said.
''We hope not, but obviously have to prepare for the worst.''
The issue of compensation was a potential issue the DHB would work through if it arose, he said.
People had been employed to scan the dark web for any more releases of stolen data and attempt to take it down.
''What's done is done. The information that has been exfiltrated is now out there and as we stand our systems back up we take more and more steps to ensure that our systems are safe. Any inquiry that is done subsequently will also identify any lessons learned for other DHBs because I think we are fairly typical of DHBs in terms of our cyber security arrangements.''
The DHB was confident of the entry point into the system the hackers used, but Snee would not elaborate apart from saying all steps necessary to address it had been taken.
"Whether [cyber security] was adequate or not will be subject to inquiry but certainly we have taken steps to improve the cyber security of the organisation. Clearly what we are concerned from this point on is to make sure any lessons are learned.
It was not known how long the recovery stage would take and it would only be then that an independent inquiry was launched, Snee said.