It has come to light that another service provider to the healthcare sector, Canopy Healthcare, has been hit by data breach.
However, those affected have only just been informed of the attack that occurred six months ago.
Patient records, passport information and bank account details have been affected.
Canopy describes itself as “the largest private medical oncology provider in New Zealand”. Its stable includes Auckland Breast Centre, Canopy Imaging, Canopy Cancer Care, Absolute Radiology and Imix.
Mid-2025 breach
In a post to its website, dated “January 2026″, the company said a “small” amount of data was copied.
“There continues to be some uncertainty as to the precise data and individuals that may have been affected,” Canopy said.
“At this stage, we are not aware of there being any evidence that any of the potentially affected information has been shared or posted online,” the company said.
“On July 18, 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team.
“In instances where some patient or staff information may have been accessed, we are contacting those individuals directly.”
Some customers’ bank account numbers accessed
It added: “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.”
The message also said: “There have been some instances of staff identity information potentially being affected, and we have notified those staff to provide support.”
Canopy advised those whose passport information had been compromised could add an “alert” to their record via the Ministry of Internal Affairs.
“No credit cards were affected,” it clarified.
Canopy said its operations and services continued as normal.
“Despite rigorous investigation, we have not been able to confirm who was responsible,” it said.
“To date, Canopy has not been contacted by the unauthorised party.”
Canopy said it notified the Privacy Commissioner and police at the time of the attack.
It had also obtained an urgent injunction from the High Court to prevent use or publication of any information that may have been accessed.
Security experts said they found flaws in ManageMyHealth’s technical setups, while questions have also been raised about governance and government oversight of private providers.
Health Minister Simeon Brown has asked the Ministry of Health to conduct a review of the ManageMyHealth breach.
Brown and the Office of the Privacy Commissioner have been asked for comment on the Canopy breach.
Source :NZ Herald