Canopy Healthcare reports six month old data breach exposing patient and staff data
Learn More
Canopy Healthcare, New Zealand's largest private medical oncology provider, is reporting a security breach that occurred on July 18, 2025.
The breach impacted systems supporting several brands under the Canopy umbrella, including Auckland Breast Centre, Canopy Imaging, and Canopy Cancer Care. Forensic investigators report that the unauthorized party gained access to administrative folders but not to the primary electronic health record systems. The attackers copied a portion of the stored data.
Canopy obtained an urgent injunction from the High Court of New Zealand, which is as usual a completely pointless exercise since criminals don't really care about court injunctions.
The exposed data includes:
- Patient names and contact details
- Referral requests and radiology report information
- A small number of bank account numbers used for payments or refunds
- Staff identity information
- Passport details (in specific instances)
The number of affected individuals and the nature of the attack is not disclosed. The company apparently detected the intrusion immediately, but it did not begin notifying affected individuals until December 2025, leading to significant criticism over the six-month delay in transparency.
The company also reported the incident to the Office of the Privacy Commissioner and the New Zealand Police.
Canopy Healthcare stated that no credit card information was involved in the breach. For those whose passport data may have been accessed, the company recommended adding an alert to their records through the Ministry of Internal Affairs.
