Another healthcare provider has confirmed it was hit by a cyber breach, with patients only being informed around six months after the incident occurred.
According to a report by Karanama Ruru of Stuff, Canopy Healthcare, the country’s largest diagnostic provider in the North Island and the biggest medical oncology provider in New Zealand, contacted patients on Monday about a breach that took place in July. In its message, the company explained how the intrusion was discovered.
“On 18 July 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team,” the company said, Stuff has quoted.
Canopy stressed that its core medical services were not disrupted.
“All our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments and medical records were not affected,” Stuff has quoted.
Canopy Healthcare is the parent company of Canopy Imaging (formerly TRG Imaging), Absolutely Radiology, Canopy Cancer Care and Auckland Breast Centre. It said people were contacted because they had previously used one of its services and could have been impacted by the breach.
A patient, who Stuff has agreed not to name, said she was distressed by the delay in being informed.
“I’m feeling really let down because its taken six months for Canopy to let us know...” she said, Stuff has quoted.
She also raised concerns about conflicting information over whether financial details had been accessed. In the email to patients, Canopy said there was “no indication that any credit card, banking information or identity documents were affected”. However, on the company’s website FAQ, it states, “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals,” as reported by Stuff.
Canopy has been contacted for comment and asked to clarify the apparent discrepancy.
The patient said the situation had left her feeling uneasy, particularly given other recent cyber incidents in the health sector.
“Especially with the data breach at Manage My Health, I’m a registered user. I haven’t been contacted as potentially affected, however I feel really nervous. Then to get this...
“I think we can all acknowledge hackers are getting very smart, and are getting more sophisticated. But six months? That’s my issue, that’s what I was shocked about,” Stuff has reported.
In its email to patients, Canopy said the information accessed may have included some health-related data, such as names, contact details and referral information. The company added it had not been approached by anyone claiming responsibility for the breach.
“We have closely monitored, and will continue to do so, for any signs of illegal data sharing. We can confirm that there is no evidence of this occurring,” Stuff has reported.
Canopy has obtained an urgent injunction from the High Court to stop the use or publication of any data that may have been accessed, and has reported the matter to NZ Police and the Office of the Privacy Commissioner.
A Ministry of Health spokesperson said it does not have oversight or regulatory authority over Canopy Healthcare, as it is a private company, but noted the organisation must comply with the Privacy Act 2020 and the Health Information Privacy Code.
The incident comes after a major cyberattack on Manage My Health, where about 127,000 users had their medical files accessed on December 30. Samples of the stolen information were later posted on the dark web along with a demand for US$60,000 (NZ$104,000) and a threat to release more data if the ransom was not paid, Stuff has reported.
ISSUE
Leave a Comment