Canopy Health, New Zealand’s largest private medical oncology provider, has publicly detailed a cybersecurity breach that occurred in July 2025, with some patients being notified approximately six months later.
The company, which operates 24 diagnostic clinics, eight oncology clinics, two private breast surgical centres and a compounding pharmacy under brands including Canopy Imaging and Canopy Cancer Care, said the incident was identified on 18 July 2025. An unknown person temporarily gained unauthorised access to a part of its systems used by its administration team.
In a website update this week, the company said a forensic review indicated that unauthorised access to one server likely occurred and “some data may have been copied.” The breach has sparked concern, with one patient’s family telling state media that a letter dated 12 December 2025 was their first notification of the “cyber event.”
The company emphasises that all clinical operations, including electronic health records, appointments, and medical records were “unaffected” and services continued “normally”, saying the incident was immediately contained within a specific administrative folder.
“Our systems are stable and functioning securely,” it said.
The investigation remains ongoing to determine the precise nature and scope of the accessed data. Canopy confirms that, in some instances, the hacker may have accessed a small number of bank account numbers provided for payment or refund purposes. The company is directly contacting those potentially affected, but notes it is “unlikely the threat actor can take significant action with these details.” No credit card information was affected.
While no patient identity documents are believed to be compromised, some staff identity information may have been accessed, and those individuals have been notified.
Canopy attributed the complex, time-consuming notification process to the nature of the breach and internal security controls, which created “some uncertainty as to the exact data that may have been accessed.”
Canopy obtained an urgent High Court injunction to prevent the use or publication of any accessed information and notified the NZ Police and the Privacy Commissioner. The company says it has seen no evidence that any data has been shared or posted online and monitoring will continue.
Individuals with concerns are directed to the National Cyber Security Centre, the Privacy Commissioner or police.
All these hacks are awesome, it shows the naked reality of a digital system and people who still opt in after all this…… Well they will make their choice and consequences associated with it
Digital ID will not be managed by some secure government department, but by many of these highly corruptible private ventures who promise privacy in a sea of changing technology.
The only way against this tide of control imposed on the public is to disobey, deflect and delay the implementation, so that critical mass cannot be obtained in their desired time-line where alternative such as cash and talking face to face already exist.
Resist
Defy
Do NOT comply