A Wellington pharmacy scrambled to remove patient data from the internet after a website fault left 29 patients' private messages publicly accessible.

Unichem Petone experienced a data leak that exposed patients' private messages sent through its website contact form. The exposed information included patients' full names, contact details, and requests for repeat prescriptions.

A system error with the website portal caused patient messages from the contact form to become publicly viewable online rather than being sent privately to the pharmacy's email. Messages were exposed from early June, when the pharmacy changed website providers, until 22 June.

A Stuff reporter discovered the breach while researching an article and alerted the pharmacy on Monday morning. Pharmacy owner Joseph Tsou said the sensitive information has since been removed.

"I know our customers had trust in us and it should have been a very private and confidential message to us," Tsou said. "Nothing like this was intended to happen - I'm really trying to make it right."

Tsou said the website contained no patient database and the incident differed from a database breach like the Manage My Health cyberhack.

Health NZ chief information security officer Peter Booth said this involved a third-party pharmacy website and was a localised matter, with broader health sector systems unaffected. The National Cyber Security Centre is in contact with the pharmacy but declined to comment on investigation details.

The Pharmacy Council, which had not been formally notified beyond media reports as of Monday, said the matter was primarily for the privacy commissioner. The council would consider whether to act only if information emerged indicating a pharmacist had failed to meet required standards of practice.

Green Cross Health group chief executive Rachael Newfield said the website functioned independently outside the corporate digital environment and was managed separately by the individual licensee.

UnichemPetone is contacting the 29 affected patients.