Key Takeaways
- A major cyber attack occurred on Canopy Health’s systems, with unauthorized access to a server and potential data copying.
- The incident was identified on July 18, 2025, but some patients were not notified until six months later.
- The breach may have accessed a small number of bank account numbers, but Canopy Health believes the threat actor cannot take significant action with these details.
- Another health data incident occurred with Manage My Health, involving unauthorized access to its platform and affecting between 6 and 7 percent of its 1.8 million registered users.
- The operators of ManageMyHealth have received confirmation that the flaws in its code have been fixed.
Introduction to the Cyber Attack
A leading private provider of breast cancer diagnosis and treatment, Canopy Health, recently disclosed a major cyber attack on its systems. The incident, which occurred on July 18, 2025, involved an unknown person temporarily obtaining unauthorized access to a part of its systems used by its administration team. Canopy Health, the largest private medical oncology provider in the country, identified the breach after a thorough forensic review by its cybersecurity experts. The company has stated that the incident has been contained and the investigation is ongoing. However, it took six months for some patients to be notified of the breach, with one man reporting that his wife received a letter from Canopy Healthcare on December 12, informing her of the "cyber event" for the first time.
Details of the Breach
According to Canopy Health, the hacker may have accessed a small number of bank account numbers, which had been provided to the company for payment or refund purposes. The company has assured that it is unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected. Nevertheless, Canopy Health is directly notifying potentially affected individuals and has advised them to contact their banks if they are concerned. The company’s Q&A section on its website provides further information on the breach, including the steps being taken to prevent similar incidents in the future. The fact that it took six months for some patients to be notified raises concerns about the company’s handling of the breach and its communication with affected individuals.
Second Health Data Incident
In late December, another provider, Manage My Health, confirmed a security incident involving unauthorized access to its platform. The company believed that between 6 and 7 percent of its approximately 1.8 million registered users may have been affected. Manage My Health has since notified over half of the impacted patients via email, and all patients who were not affected can also see this information in their ManageMyHealth app. The incident is particularly concerning in Northland, where over 80,000 of the 125,000 patients affected by the ransomware attack are based. Health NZ itself uses Manage My Health to share information with patients in this region, including hospital discharge summaries, outpatient clinic letters, and referral notifications. The operators of ManageMyHealth have received independent confirmation from IT experts that the flaws in its code have been fixed, providing some reassurance to affected patients.
Concerns and Implications
The two health data incidents raise significant concerns about the security of patient data in New Zealand’s healthcare system. The fact that both incidents involved unauthorized access to sensitive information highlights the need for robust cybersecurity measures to protect patient data. The notification timeframe for affected patients is also a concern, with some patients not being informed of the breach for six months. This delay can exacerbate the potential harm caused by the breach, as affected individuals may not be able to take timely action to protect themselves. Furthermore, the incidents may undermine trust in the healthcare system, particularly among patients who have had their data compromised. It is essential for healthcare providers to prioritize patient data security and transparency to maintain trust and prevent similar incidents in the future.
Conclusion and Recommendations
In conclusion, the two health data incidents highlight the importance of robust cybersecurity measures to protect patient data in New Zealand’s healthcare system. Healthcare providers must prioritize patient data security and transparency to maintain trust and prevent similar incidents in the future. Patients who have been affected by the breaches should be notified promptly and provided with clear information on the steps being taken to protect their data. Additionally, healthcare providers should conduct regular security audits and implement robust measures to prevent unauthorized access to sensitive information. By prioritizing patient data security and transparency, healthcare providers can maintain trust and ensure the confidentiality, integrity, and availability of patient data.
