Cybersecurity Breach at Canopy Health Exposes Patient Data, Delayed Notifications Raise Concerns
Canopy Health, Australia’s largest private medical oncology provider, disclosed a cyberattack on July 18, 2025, after detecting unauthorized access to an administrative server. A forensic review confirmed that data may have been copied, though the incident was contained. The breach potentially exposed a limited number of bank account details provided for payments or refunds, though the company stated the risk of misuse was low. Despite the July discovery, some patients—including one whose wife received a notification letter on December 12—reported learning of the breach months later.
This incident follows another major health data breach involving ManageMyHealth, a patient data platform. In late December, the company confirmed unauthorized access affecting 6–7% of its 1.8 million users. Over 125,000 patients were impacted, with more than 80,000 in Northland, where Health NZ relies on the platform for sharing sensitive medical records, including discharge summaries and clinic letters. ManageMyHealth stated that independent IT experts had verified fixes to the vulnerabilities, and over half of affected users had been notified by mid-January.
Both breaches highlight ongoing risks to healthcare data security and the challenges of timely breach disclosures. Investigations remain ongoing.
Source: https://www.odt.co.nz/news/national/second-health-provider-hit-cyber-attack-rnz
Manage My Health Australia cybersecurity rating report: https://www.rankiteo.com/company/managemyhealth-au
Canopy Health cybersecurity rating report: https://www.rankiteo.com/company/canopy-health
"id": "MANCAN1768181684",
"linkid": "managemyhealth-au, canopy-health",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Australia',
'name': 'Canopy Health',
'size': 'Large (24 diagnostic clinics, 8 oncology '
'clinics, 2 private breast surgical centres, 1 '
'drug compounding business)',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Direct notifications to affected individuals, website '
'Q&A',
'data_breach': {'data_exfiltration': 'Likely',
'personally_identifiable_information': 'Bank account numbers',
'sensitivity_of_data': 'High (bank account details)',
'type_of_data_compromised': 'Bank account numbers, '
'administrative data'},
'date_detected': '2025-07-18',
'date_publicly_disclosed': '2025-12-12',
'description': 'A leading private provider of breast cancer diagnosis and '
'treatment, Canopy Health, experienced a cyber attack where an '
'unknown person temporarily obtained unauthorized access to a '
'part of its systems. The incident was contained, but some '
'data may have been copied, including a small number of bank '
'account numbers provided for payment or refund purposes. The '
'company took six months to notify some patients or the '
'public.',
'impact': {'data_compromised': 'Bank account numbers, administrative data',
'operational_impact': 'Contained, ongoing investigation',
'payment_information_risk': 'Bank account numbers exposed',
'systems_affected': 'Administrative systems, servers'},
'investigation_status': 'Ongoing',
'references': [{'date_accessed': '2025-12-12',
'source': 'Canopy Health Website Update'}],
'response': {'communication_strategy': 'Direct notifications to affected '
'individuals, website update',
'containment_measures': 'Incident contained',
'third_party_assistance': 'Cybersecurity experts'},
'threat_actor': 'Unknown',
'title': 'Canopy Health Cyber Attack and Data Breach',
'type': 'Data Breach'}