Canopy Healthcare Reports Six-Month-Old Data Breach Affecting Patient and Staff Records
Canopy Healthcare, New Zealand’s largest private medical oncology provider—encompassing facilities like Auckland Breast Centre, Canopy Cancer Care, and Canopy Imaging—has disclosed a data breach that occurred on July 18, 2025, but only notified affected individuals six months later. The unauthorized access targeted administrative systems, potentially exposing patient records, passport details, and a limited number of bank account numbers provided for payments or refunds.
While the company confirmed that credit card information remained unaffected, it acknowledged uncertainty about the full scope of compromised data. Canopy has directly contacted impacted patients and staff, including those whose identity documents may have been accessed. Affected individuals with exposed passport details were advised to place an alert on their records via the Ministry of Internal Affairs.
The breach follows a December 2024 ransomware attack on the ManageMyHealth portal, a separate healthcare service provider, which compromised 127,000 patient files. Health Minister Simeon Brown has since directed the Ministry of Health to review the ManageMyHealth incident, though no direct link between the two breaches has been established.
Canopy reported the incident to the Privacy Commissioner and police at the time but stated it has not received contact from the unauthorized party or identified the attackers. Despite the breach, the company confirmed that operations continued normally, and no ransom demands were made.
The delayed disclosure has raised questions about healthcare cybersecurity governance, with authorities yet to comment on the Canopy breach. The incident adds to growing concerns over data protection in New Zealand’s private healthcare sector.
Manage My Health cybersecurity rating report: https://www.rankiteo.com/company/managemyhealth
Canopy Imaging cybersecurity rating report: https://www.rankiteo.com/company/canopy-imaging-ltd
"id": "MANCAN1768189120",
"linkid": "managemyhealth, canopy-imaging-ltd",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '127,000 patients (via '
'ManageMyHealth portal), small '
'number of individuals (directly '
'affected by Canopy breach)',
'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Canopy Healthcare',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Auckland Breast Centre',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Canopy Imaging',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Canopy Cancer Care',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Absolute Radiology',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'New Zealand',
'name': 'Imix',
'type': 'Healthcare Provider'}],
'customer_advisories': 'Direct notifications to affected individuals, advice '
'to add alert to passport records via Ministry of '
'Internal Affairs',
'data_breach': {'number_of_records_exposed': 'Small amount (exact number not '
'specified)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Patient records',
'Passport information',
'Bank account details',
'Staff identity information']},
'date_detected': '2025-07-18',
'date_publicly_disclosed': '2026-01',
'description': 'Canopy Healthcare identified unauthorized access to a part of '
'its systems used by the administration team, potentially '
'exposing patient records, passport information, and bank '
'account details. The breach occurred six months prior to '
'public disclosure, affecting a small number of individuals.',
'impact': {'data_compromised': 'Patient records, passport information, bank '
'account details, staff identity information',
'identity_theft_risk': 'High (passport and bank account details '
'exposed)',
'operational_impact': 'Operations and services continued as normal',
'payment_information_risk': 'Bank account numbers exposed (no '
'credit cards affected)',
'systems_affected': 'Administration systems'},
'investigation_status': 'Ongoing (unable to confirm responsible party)',
'references': [{'date_accessed': '2026-01',
'source': 'Canopy Healthcare Website'},
{'source': 'NZ Herald'}],
'regulatory_compliance': {'regulatory_notifications': 'Privacy Commissioner '
'notified'},
'response': {'communication_strategy': 'Direct notifications to affected '
'individuals, public statement on '
'website',
'law_enforcement_notified': 'Yes (Police notified at the time of '
'the attack)'},
'threat_actor': 'Unknown',
'title': 'Canopy Healthcare Data Breach',
'type': 'Data Breach'}