Two Major Health Data Breaches Shake New Zealand’s Cybersecurity Landscape
New Zealand’s healthcare sector is grappling with the fallout from two significant cyber incidents, raising concerns over data security and delayed disclosures. The breaches one at Canopy Health and the other at Manage My Health (MMH) have exposed vulnerabilities in patient data protection and sparked public frustration over notification delays.
Canopy Health Breach: Delayed Disclosure Fuels Outrage
Canopy Health, New Zealand’s largest private oncology provider, confirmed on January 8 that it had suffered a cyber intrusion in July 2023. The company stated that unauthorized access was detected in part of its administrative systems, with some patient data potentially copied. While the breach was contained following a forensic review, the six-month delay in notifying affected individuals has drawn sharp criticism. Patients reported learning of the incident only after the Manage My Health breach dominated headlines in late December, with one individual calling the delay "an outrageous amount of time to keep the breach secret."
Manage My Health Breach: Larger in Scale, Financially Motivated
The MMH breach, disclosed on December 31, 2023, is far more extensive, affecting approximately 127,000 patients and exposing around 430,000 documents from the portal’s "health documents" section. About 70% of impacted patients are in Northland, where Health NZ uses MMH for direct patient communication.
The hacker, operating under the alias Kazu, claimed the attack was financially motivated, demanding a US$60,000 (NZ$103,500) ransom with a deadline that expired on January 5. MMH has not confirmed whether it engaged with the hacker or paid the ransom but has secured High Court injunctions to limit the spread of stolen data.
Security Failures and Industry Reactions
Security experts have pointed to basic lapses in MMH’s defenses, particularly the absence of mandatory multi-factor authentication (MFA), which could have prevented the breach. While MFA is widely recommended, some argue it may pose accessibility challenges for elderly or disabled patients. However, a post-breach analysis by security consultant Adam Burns identified multiple baseline security gaps, warning that the incident could inspire copycat attacks and further target New Zealand’s healthcare sector.
Background on Manage My Health
MMH, launched in 2008 as a patient portal by Medtech (a dominant GP practice management system), has grown into the most widely used health portal in New Zealand. Despite its private ownership, experts note that enforcement of security standards not ownership determines risk levels. The breach comes at a sensitive time for New Zealand’s digital-first government initiatives, including the recent launch of the govt.nz app and plans for digital driver licenses, raising questions about public trust in digital services.
The incidents underscore ongoing challenges in balancing security, accessibility, and regulatory oversight in New Zealand’s healthcare data infrastructure.
Canopy Cancer Care cybersecurity rating report: https://www.rankiteo.com/company/canopy-cancer-care
"id": "CAN1768527698",
"linkid": "canopy-cancer-care",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare (Oncology)',
'location': 'New Zealand',
'name': 'Canopy Health',
'size': 'Largest private oncology provider in New '
'Zealand',
'type': 'Private healthcare provider'},
{'customers_affected': '127,000 patients',
'industry': 'Healthcare (Digital Health Records)',
'location': 'New Zealand',
'name': 'Manage My Health (MMH)',
'size': 'Most widely used health portal in New Zealand',
'type': 'Patient portal'}],
'attack_vector': 'Unauthorized access (Canopy Health), Exploited security '
'gaps (MMH)',
'customer_advisories': 'Public statements (Canopy Health, MMH)',
'data_breach': {'data_exfiltration': 'Potential data copying (Canopy Health), '
'Data stolen (MMH)',
'file_types_exposed': 'Health documents',
'number_of_records_exposed': '430,000 documents (MMH)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (health records, personally '
'identifiable information)',
'type_of_data_compromised': 'Patient data, Health documents'},
'date_detected': 'July 2023 (Canopy Health), December 2023 (MMH)',
'date_publicly_disclosed': 'January 8, 2024 (Canopy Health), December 31, '
'2023 (MMH)',
'description': 'New Zealand’s healthcare sector faced two significant cyber '
'incidents involving Canopy Health and Manage My Health (MMH), '
'exposing vulnerabilities in patient data protection and '
'sparking public frustration over delayed disclosures.',
'impact': {'brand_reputation_impact': 'Erosion of public trust in healthcare '
'data security',
'customer_complaints': 'Public outrage over delayed disclosure '
'(Canopy Health)',
'data_compromised': 'Patient data (Canopy Health), 430,000 '
'documents (MMH)',
'identity_theft_risk': 'High (patient data exposed)',
'legal_liabilities': 'High Court injunctions (MMH)',
'operational_impact': 'Delayed patient notifications, Public '
'frustration, Legal actions (MMH)',
'systems_affected': 'Administrative systems (Canopy Health), '
'Health documents portal (MMH)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for mandatory multi-factor authentication (MFA), '
'Timely breach disclosures, Strengthening baseline '
'security measures, Balancing accessibility and security '
'in healthcare data systems',
'motivation': 'Financial gain (MMH)',
'post_incident_analysis': {'corrective_actions': 'Implementation of MFA, '
'Security audits, Improved '
'incident response protocols',
'root_causes': 'Lack of MFA, Basic security '
'lapses, Delayed detection and '
'response'},
'ransomware': {'data_exfiltration': 'Yes (MMH)',
'ransom_demanded': 'US$60,000 (NZ$103,500) (MMH)'},
'recommendations': 'Implement MFA, Improve incident response timelines, '
'Enhance security audits, Increase public transparency, '
'Strengthen regulatory oversight',
'references': [{'source': 'News articles on Canopy Health and Manage My '
'Health breaches'}],
'regulatory_compliance': {'legal_actions': 'High Court injunctions (MMH)'},
'response': {'communication_strategy': 'Delayed disclosure (Canopy Health), '
'Public statement (MMH)',
'containment_measures': 'Breach contained (Canopy Health), High '
'Court injunctions (MMH)',
'third_party_assistance': 'Forensic review (Canopy Health), '
'Security consultant (Adam Burns for '
'MMH)'},
'threat_actor': 'Kazu (MMH)',
'title': 'Two Major Health Data Breaches in New Zealand’s Healthcare Sector',
'type': ['Data Breach', 'Ransomware'],
'vulnerability_exploited': 'Lack of multi-factor authentication (MFA), Basic '
'security lapses (MMH)'}