It's been revealed ACC did nothing for three months to resolve a major privacy breach it had committed.
An independent report blames human error and ACC system failures for the inadvertent release of the details about over 6,700 ACC clients to Bronwyn Pullar.
But it also reveals, despite being aware of the problem in early December 2011, the corporation took no action to address it until the privacy failure was revealed in the media in March this year.
The report says the breaches should have been further referred to a complaints investigator, or a Privacy Officer, in December.
It says the breach occurred due to genuine human error, but it was able to occur because of systematic weaknesses within ACC's culture and systems.
The report says a similar incident is likely to happen again if the problems identified aren't addressed.
The Privacy Commissioner's report also calls for massive improvements in how private information is managed and kept secure and provides a timeline for those.
The Auditor-General finds senior Board members failed to appropriately manage Ms Pullar's conflict of interest and recognise the risks to the corporation of the situation.
ACC Minister Judith Collins says all recommendations will be implemented and a reconfigured Board will be given new directions to ensure they properly lead the organisation.
ACC minister Judith Collins says there'll be an urgent overhaul of the injury prevention agency to fix the problems.
"I believe very much that the staff have been let down by a culture which has not been able to identify the risk involved in not having the right systems in place, or processes."
And ACC Interim Chair Paula Rebstock isn't saying explicitly that heads may roll as a result of the identified shortcomings.
"The employees of the corporation, including management and staff will be held accountable according to our code of conduct and performance expectations on them."
Inquiry member Malcolm Crompton says the particular human error mistake that happened at ACC could have happened in any other Government agency.
"The data breaches are happening out of many organisations all of the time, this is the one that came to public light, every organisation should be taken forward from this incredibly strong list."
Mr Crompton says in a way, Ms Pullar has done the people of New Zealand a service in making sure we pay better attention to the governance of personal information.
ACC's blackmail allegations against Bronwyn Pullar aren't covered in a report into the corporation's privacy breaches.
In March, ACC issued a report which says Ms Pullar threatened to go public about an ACC privacy breach if her claim wasn't settled.
Police subsequently found no cause for charges to be laid.
A independent report released on the privacy breach today barely canvasses the accusation.
Privacy Commissioner Marie Shroff says they're not qualified to form an opinion on it and it's a matter for police.
"We are not the right people, in my view, to be reaching conclusions like that, the police are."