Table of Contents
Summarised by Centrist
Canopy Health, which operates 24 diagnostic clinics, eight oncology clinics, two private breast surgical centres and a drug compounding business, said it identified “unauthorised access” to part of its administrative systems on July 18, 2025.
Patients, however, say they were only notified months later.
In an update posted this week, the company said an unknown person had “temporarily obtained unauthorised access” to one of its servers and that “some data may have been copied” following a forensic review.
The provider claims the incident had been contained and that investigations are ongoing.
One patient told reporters that she first learned of the breach via email this week. “Six months is an outrageous amount of time to keep the breach secret,” she said.
She also said the company’s reassurance that there was “no indication that any credit card, banking information or identity documents were affected” appeared to conflict with Canopy’s website statement that hackers may have accessed “a small number of bank account numbers”.
Another patient said she received a letter only in mid-December. “In the period of time they’ve taken to send it to me, anything could have happened,” she said.
The breach, revealed on January 12, is the second health data incident reported in New Zealand in recent weeks.
A late-December disclosure by Manage My Health dominated headlines, and 6–7 per cent of its 1.8 million registered users may have been affected by unauthorised access.
