Canopy Health Confirms Six-Month Delay in Disclosing Major Data Breach
Canopy Health has acknowledged a significant cyber intrusion that went undisclosed to patients for six months, sparking outrage among those affected. The breach was first detected on 18 July 2025, when the organization identified unauthorized access to its internal administrative systems. A subsequent forensic investigation revealed that hackers likely copied data from one of its servers, though the full scope remains under review.
Patients expressed frustration over the delayed notification, with some learning of the incident only after receiving an email this week. One anonymous woman, who used Canopy Health’s services for mammograms under BreastScreen Aotearoa, criticized the lack of transparency, stating that the six-month delay was "completely unacceptable." While Canopy Health claimed no credit card or identity documents were compromised, its website later acknowledged that hackers may have accessed "a small number of bank account numbers" provided for payments or refunds.
Another affected Auckland resident, who received a breach notification in mid-December, questioned the company’s assurance that identity risks were minimal. She warned that compromised data could have serious consequences, particularly for her profession.
In response, Canopy Health stated it was directly notifying impacted individuals and advised them to contact their banks for precautionary measures. The breach occurs amid broader concerns about healthcare data security, following a separate ransomware attack on Manage My Health in late December, which affected roughly 125,000 users, primarily in Northland.
Both incidents have intensified scrutiny over transparency, accountability, and patient data protection in New Zealand’s healthcare sector. Investigations into the Canopy Health breach remain ongoing.
Source: https://thecyberexpress.com/canopy-health-data-breach-six-month-delay/
Canopy Health cybersecurity rating report: https://www.rankiteo.com/company/canopy-health
"id": "CAN1768202785",
"linkid": "canopy-health",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Patients referred for '
'mammograms and diagnostic '
'imaging services, including '
'users of BreastScreen Aotearoa '
'and Manage My Health',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Canopy Health',
'type': 'Healthcare Provider'}],
'attack_vector': 'Unauthorized Access',
'customer_advisories': 'Direct notifications to potentially affected '
'individuals; website Q&A for further information.',
'data_breach': {'data_exfiltration': 'Possible',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Bank account numbers',
'Personal health information']},
'date_detected': '2025-07-18',
'date_publicly_disclosed': '2025-12-00',
'description': 'Canopy Health suffered a cyber intrusion that went '
'undisclosed to patients for six months. The incident was '
'detected on 18 July 2025, when unauthorized access to '
'internal systems was identified. A forensic investigation '
'revealed that some data may have been copied, and the breach '
'was contained. Patients expressed anger over the delayed '
'notification and concerns about compromised sensitive '
'information.',
'impact': {'brand_reputation_impact': 'Significant',
'customer_complaints': 'High',
'data_compromised': 'Bank account numbers, personal health '
'information',
'identity_theft_risk': 'Possible',
'operational_impact': 'Erosion of patient confidence, delayed '
'communication',
'payment_information_risk': 'Bank account numbers exposed',
'systems_affected': 'Internal administration systems, servers'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Delayed communication erodes patient trust; need for '
'improved transparency and data security measures in '
'healthcare.',
'post_incident_analysis': {'corrective_actions': 'Forensic investigation '
'completed; vulnerabilities '
'being addressed; '
'independent confirmation of '
'fixes for related incidents '
'(e.g., Manage My Health).',
'root_causes': 'Inadequate data security systems, '
'delayed detection and response'},
'recommendations': 'Implement stricter data protection protocols, ensure '
'timely breach notifications, enhance monitoring of '
'internal systems, and improve communication strategies '
'with affected individuals.',
'references': [{'source': 'Radio New Zealand (RNZ)'},
{'source': 'Canopy Health Website'}],
'response': {'communication_strategy': 'Delayed notifications to affected '
'individuals, website updates',
'containment_measures': 'Incident contained',
'incident_response_plan_activated': 'Yes',
'third_party_assistance': 'External cybersecurity experts'},
'stakeholder_advisories': 'Patients advised to contact their banks if '
'concerned about financial information exposure.',
'threat_actor': 'Unknown',
'title': 'Canopy Health Cyber Intrusion and Data Breach',
'type': 'Data Breach'}