A leading private provider doing breast cancer diagnosis and treatment took six months to notify some patients or the public of a major cyber attack on its systems.
In an update on its website this week, Canopy Health - the largest private medical oncology provider in the country - said on July 18, 2025, it identified that an unknown person "temporarily obtained unauthorised access" to a part of its systems used by its administration team.
"Following a thorough forensic review by our cybersecurity experts, we have been advised that unauthorised access to one of our servers likely occurred, and some data may have been copied."
The company, which runs 24 diagnostic clinics, eight oncology clinics, two private breast surgical centres and a drug compounding business, said the incident had been "contained" and the investigation was ongoing.
Under its Q&A section, Canopy noted the hacker "may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes".
"We are directly notifying potentially affected individuals.
"It is unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.
"However, if you are concerned, please contact your bank."
One man - whose wife received a letter from Canopy Healthcare on December 12 to inform her of the "cyber event" - said it was the first they had heard of the breach.
Canopy Healthcare has been approached for comment.
Second health data incident
In late December ManageMyHealth confirmed it had identified a security incident involving "unauthorised access" to its platform. It believed between 6 and 7% of the approximately 1.8 million registered users may have been impacted.
On Friday, the company said more than half of all impacted patients had now received a notification email, and all patients who were not affected could also see that in their ManageMyHealth app.
More than 80,000 of the 125,000 patients affected by the ransomware attack are based in Northland - the only region where Health NZ itself uses Manage My Health to share information with patients, including hospital discharge summaries, outpatient clinic letters and referral notifications.
The operators of compromised patient data app ManageMyHealth say they have received "independent confirmation" from IT experts the flaws in its code have been fixed.
