New Zealand Health Sector Hit by Two Major Cyber Incidents, Raising Concerns Over Data Security and Disclosure Practices
New Zealand’s healthcare sector is grappling with the fallout from two significant cyber incidents, underscoring growing cyber risks for providers and insurers. Canopy Healthcare, which operates diagnostic and oncology services including Canopy Imaging, Absolutely Radiology, Canopy Cancer Care, and Auckland Breast Centre disclosed a breach on January 17, 2026, six months after detecting unauthorized access to its administrative systems on July 18, 2025.
The company confirmed that core clinical operations, including electronic health records and patient appointments, remained unaffected. However, exposed data may have included names, contact details, and referral information. While Canopy stated there was no evidence of credit card or identity document compromise, its online FAQ noted that a small number of bank account numbers provided for payment or refund purposes may have been accessed. The discrepancy between the email notification and website details has drawn criticism from affected patients.
Canopy has notified New Zealand Police and the Office of the Privacy Commissioner, securing a High Court injunction to block the use or publication of any accessed data. Despite these measures, concerns persist over the six-month delay in notifying patients, with one individual expressing frustration over the lack of transparency.
The incident follows a high-profile ransomware attack on Manage My Health (MMH), a GP patient portal used by practices nationwide. MMH disclosed the breach in late December 2025, revealing that attackers accessed personal health documents for approximately 120,000 users 6% to 7% of its 1.8 million registered users after compromising its "My Health Documents" module on December 30. Core functions, such as prescriptions and health records, remained secure.
The attackers, who initially demanded US$60,000 (NZ$104,000), began publishing stolen data on the dark web, threatening to release more if the ransom went unpaid. Despite a High Court injunction prohibiting data dissemination, the group continued posting updates, including a recent warning of additional leaks.
For insurers and risk managers, these incidents highlight critical challenges: notification timelines, governance practices, and the segregation of administrative and clinical systems. The delays in disclosure particularly Canopy’s six-month gap have raised questions about compliance with New Zealand’s Privacy Act 2020. Meanwhile, the MMH breach underscores the vulnerabilities introduced by third-party patient portals, which can amplify risk across interconnected healthcare networks.
The National Cyber Security Centre (NCSC) reported a sharp rise in financial losses from cyber incidents, with direct costs reaching $12.4 million in Q3 2025 more than double the previous quarter’s $5.7 million. As investigations continue, these breaches serve as a stark reminder of the evolving cyber threats facing New Zealand’s health sector and the need for robust data protection measures.
Canopy Imaging cybersecurity rating report: https://www.rankiteo.com/company/canopy-imaging-ltd
"id": "CAN1768239982",
"linkid": "canopy-imaging-ltd",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Patients of Canopy Imaging, '
'Absolutely Radiology, Canopy '
'Cancer Care, and Auckland '
'Breast Centre',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Canopy Healthcare',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Affected patients notified via email with '
'instructions to monitor for signs of data misuse. '
'Patients advised to review bank statements and report '
'any suspicious activity.',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (health-related and financial '
'data)',
'type_of_data_compromised': ['Names',
'Contact details',
'Referral information',
'Bank account numbers']},
'date_detected': '2025-07-18',
'date_publicly_disclosed': '2026-01',
'description': 'Canopy Healthcare identified unauthorized access to a part of '
'its systems used by its administration team on July 18, 2025. '
'The incident did not affect core clinical operations, but '
'some patient data may have been accessed. The company '
'notified affected patients six months after detection.',
'impact': {'brand_reputation_impact': 'Yes, due to delayed notification and '
'inconsistencies in messaging',
'customer_complaints': 'Yes, from affected patients',
'data_compromised': 'Health-related data, including names, contact '
'details, referral information, and a small '
'number of bank account numbers',
'identity_theft_risk': 'Potential, given exposure of personal and '
'health-related data',
'legal_liabilities': 'Potential under Privacy Act 2020 and Health '
'Information Privacy Code',
'operational_impact': 'Core clinical operations and main clinical '
'platforms continued without interruption',
'payment_information_risk': 'Yes, due to potential access to bank '
'account numbers',
'systems_affected': 'Administrative systems'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Delayed notification can erode patient trust and raise '
'governance concerns. Inconsistencies in messaging (e.g., '
'banking data involvement) can exacerbate reputational '
'damage. Segregation of administrative and clinical '
'systems is critical for minimizing operational impact.',
'post_incident_analysis': {'corrective_actions': ['Obtained High Court '
'injunction to prevent data '
'misuse',
'Engaged independent '
'forensic consultants',
'Enhanced monitoring for '
'illegal data sharing',
'Phased notifications to '
'affected patients'],
'root_causes': 'Unauthorized access to '
'administrative systems, '
'potentially due to inadequate '
'segregation or vulnerabilities in '
'third-party portals.'},
'recommendations': ['Improve detection and response timelines to comply with '
'notification obligations',
'Ensure consistency in public communications across all '
'channels',
'Enhance monitoring for signs of data misuse '
'post-incident',
'Review and strengthen segregation of administrative and '
'clinical systems',
'Engage third-party forensic experts promptly for '
'incident investigation'],
'references': [{'source': 'Stuff'},
{'source': 'Canopy Healthcare Patient Notification'},
{'source': 'Canopy Healthcare Breach FAQ'},
{'source': 'National Cyber Security Centre (NCSC) Cyber '
'Security Insights Report (July-Sept 2025)'},
{'source': 'Manage My Health Incident Reports'}],
'regulatory_compliance': {'legal_actions': 'Urgent High Court injunction '
'obtained to prevent data misuse',
'regulations_violated': ['Privacy Act 2020',
'Health Information '
'Privacy Code'],
'regulatory_notifications': 'Yes (Office of the '
'Privacy Commissioner)'},
'response': {'communication_strategy': 'Email notification to patients and '
'FAQ on website',
'enhanced_monitoring': 'Yes, for signs of illegal data sharing',
'law_enforcement_notified': 'Yes (New Zealand Police)',
'third_party_assistance': 'Independent forensic consultants'},
'stakeholder_advisories': 'Insurers, brokers, and risk managers advised to '
'assess governance arrangements, potential '
'liability, and compliance with notification '
'requirements. Claims teams should evaluate '
'coverage questions across cyber, privacy '
'liability, and medical malpractice policies.',
'title': 'Canopy Healthcare Cyber Incident',
'type': 'Unauthorized Access'}