Wellington | January 12, 2026 | New Zealand’s healthcare system is once again under scrutiny over data protection failures after Canopy Health, the country’s largest private medical oncology provider, confirmed that its systems were compromised in a cyber intrusion last year, with many patients being notified nearly six months after the incident came to light.
The delayed disclosure has raised serious questions around transparency and accountability, particularly at a time when confidence in digital health infrastructure is already fragile. The revelation comes close on the heels of the major ransomware attack on patient portal Manage My Health, intensifying concerns over systemic weaknesses in safeguarding sensitive medical information.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
According to Canopy Health, the breach was detected on July 18, 2025, when the company identified unauthorised access to a server used by its administrative team. The provider said an unknown individual had temporarily accessed part of its system, and that some patient data may have been copied during the intrusion.
A subsequent forensic investigation by cybersecurity specialists confirmed that unauthorised access had “likely” occurred, although the full extent of the data exposure is still under assessment. Canopy Health said the incident had been contained and that additional security measures had since been implemented.
Canopy Health operates 24 diagnostic clinics, eight oncology clinics, two private breast surgery centres, along with a drug compounding business across New Zealand. The scale of its operations has heightened concerns over the potential number of patients whose information may have been affected.
Patients notified months later
Several patients told RNZ they were informed of the cyber incident only in December or January, despite the breach having occurred in July. Patients have criticised the delay, describing it as unacceptable given the sensitivity of medical and financial data involved.
One woman, who asked not to be identified, said she received her first notification email on Monday. She had previously attended Canopy Health clinics for mammograms under the government-funded BreastScreen Aotearoa programme.
“Keeping something like this quiet for six months is simply not acceptable,” she said, adding that significant harm could have occurred during that period.
She also pointed to inconsistencies between the company’s email notification and information published on its website. While the email stated there was no indication that banking details had been affected, the website acknowledged that a small number of bank account numbers may have been accessed.
An Auckland-based woman said she received a letter in mid-December and would otherwise have remained unaware of the breach.
“If they hadn’t sent that letter, I would never have known,” she said. “In the time it took them to notify me, anything could have happened.”
She said reassurances that the risk was limited offered little comfort. “If any of my information had been misused, it would affect me directly — especially given the nature of my work.”
Concerns over bank details
In its publicly available Q&A, Canopy Health acknowledged that the attacker may have accessed a small number of bank account numbers, which had been provided for payment or refund purposes. The company said it was directly contacting potentially affected individuals and advising them to remain vigilant and consult their banks if concerned.
While Canopy Health maintained that misuse of the information was unlikely, patients have questioned why notification was delayed for months if the incident was identified and investigated last year.
Growing cyber pressure on health sector
The Canopy Health breach follows closely after the Manage My Health data incident, confirmed in late December. That attack affected an estimated 6–7 percent of the platform’s 1.8 million registered users, amounting to around 125,000 patients nationwide.
More than 80,000 affected users are based in Northland, the only region where Health NZ uses Manage My Health to share hospital discharge summaries, referral notifications and outpatient clinic correspondence.
Although platform operators have said security flaws have since been addressed, doctors and patients have criticised inconsistent messaging and delayed communication, further eroding trust in digital health services.
Trust at stake
Canopy Health and Health NZ have been approached for comment on the latest incident. Patient advocates warn that repeated cyber breaches and slow disclosure practices risk undermining public confidence in healthcare providers at a time when digital systems are increasingly central to patient care.
For those affected, the issue has moved beyond cybersecurity alone, raising broader questions around transparency, accountability and patients’ right to timely information when their sensitive personal health data is compromised.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
