Photo: 123RF
Patients caught up in the CanopyHealth data breach are furious that it took the company six months to tell them about it.
On Monday, it was revealed the leading private provider doing breast cancer diagnosis and treatment took six months to notify some patients or the public of a major cyber attack on its systems.
In an update on its website this week, Canopy Health – the largest private medical oncology provider in the country – said on 18 July 2025, it identified that an unknown person “temporarily obtained unauthorised access” to a part of its systems used by its administration team.
“Following a thorough forensic review by our cybersecurity experts, we have been advised that unauthorised access to one of our servers likely occurred, and some data may have been copied.”
The company, which runs 24 diagnostic clinics, eight oncology clinics, two private breast surgical centres and a drug compounding business, said the incident had been “contained” and the investigation was ongoing.
Have you been affected? Share you stories with us at: iwitness@rnz.co.nz
A woman, who asked to be anonymous, said she received an email this morning from Canopy Health about the breach, which was the first she had even heard of it happening.
“Six months is an outrageous amount of time to keep the breach secret.”
She has previously been referred to one of its clinics for mammograms, as part of the government-funded national breast screening programme, BreastScreen Aotearoa, over the years, and for a range of other diagnostic imaging.
She said the email from the company – claiming there was “no indication that any credit card, banking information or identity documents were affected” – appeared to contradict the company’s online statement, which noted the hackers may have “accessed a small number of bank account numbers”.
The woman, who was also a Manage My Health user, said apart from their “obviously inadequate data security systems”, the slow and poor communication from both companies was “completely unacceptable”.
“I am angry, and my confidence in health services and data security in this country is at an all-time low.”
An Auckland resident, whom RNZ has agreed not to name, was referred to Canopy Health for a mammogram as part of the government-funded national breast screening programme, BreastScreen Aotearoa.
It was “definitely not acceptable” that this happened in July, but she only received a letter in mid-December, she said.
“I would never have known if they had not sent that letter.
“But in the period of time they’ve taken them to send it to me, anything could have happened.”
She was not reassured by Canopy Healthcare’s claim that it was “unlikely” that patients’ identity was at risk.
“If any of my information were compromised in any way, it would affect me.
“I don’t know what would be out there, especially with the job I do – what if it fell into the hands of the wrong person and was used against me?”
Under its Q&A section, Canopy noted the hacker “may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes”.
“We are directly notifying potentially affected individuals.
“It is unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.
However, if you are concerned, please contact your bank.”
One man – whose wife received a letter from Canopy Healthcare on 12 December to inform her of the “cyber event” – said it was the first they had heard of the breach.
Health NZ and Canopy Health have been approached for comment.
Second health data incident
In late December, another provider, Manage My Health, confirmed it had identified a security incident involving “unauthorised access” to its platform.
It believed between 6 and 7 percent of the approximately 1.8 million registered users may have been affected.
On Friday, the company said more than half of all impacted patients had now received a notification email, and all patients who were not affected could also see that in their ManageMyHealth app.
More than 80,000 of the 125,000 patients affected by the ransomware attack are based in Northland – the only region where Health NZ itself uses Manage My Health to share information with patients, including hospital discharge summaries, outpatient clinic letters and referral notifications.
The operators of compromised patient data app ManageMyHealth say they have received “independent confirmation” from IT experts the flaws in its code have been fixed.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
