Canopy Health confirms it suffered a serious cyber intrusion that went undisclosed to patients for six months. The delayed notification has triggered anger and deep concern among those affected, many of whom say the Canopy Health data breach has eroded their confidence in health providers and the systems meant to protect sensitive personal information.
The Canopy Health cyberattack was publicly acknowledged this week after months of behind-the-scenes investigation. In an update posted on its website, Canopy Health said it identified the incident on 18 July 2025, when it detected that an unknown person had “temporarily obtained unauthorized access” to part of its internal systems used by its administration team.
Following a forensic investigation conducted by external cybersecurity experts, the organization said it had been advised that “unauthorized access to one of our servers likely occurred, and some data may have been copied.” Canopy Health added that the incident had since been contained, but confirmed the investigation was ongoing.
Patients React to the Canopy Health Data Breach
According to Radio New Zealand, a woman who requested anonymity said she only learned about the Canopy Health data breach after receiving an email from the company this week. “Six months is an outrageous amount of time to keep the breach secret,” she said.
She had previously been referred to one of Canopy Health’s clinics for mammograms under the government-funded national breast screening program, BreastScreen Aotearoa, and had also used its diagnostic imaging services. The woman said the email she received claimed there was “no indication that any credit card, banking information or identity documents were affected.” However, she noted this appeared to contradict Canopy Health’s website statement, which acknowledged hackers may have “accessed a small number of bank account numbers.”
The woman, who is also a user of the Manage My Health platform, said that beyond what she described as “obviously inadequate data security systems,” the slow and unclear communication from both companies was “completely unacceptable.” “I am angry, and my confidence in health services and data security in this country is at an all-time low,” she said.
Concerns Over Financial and Identity Information
Another Auckland resident, also granted anonymity by RNZ, said she was referred to Canopy Health for a mammogram through BreastScreen Aotearoa and only received a letter about the breach in mid-December. “It was definitely not acceptable that this happened in July, but I only received a letter months later,” she said. “I would never have known if they had not sent that letter. But in the period of time they’ve taken to send it to me, anything could have happened.”
She said she was not reassured by Canopy Health’s assertion that it was “unlikely” patients’ identities were at risk. “If any of my information were compromised in any way, it would affect me,” she said. “I don’t know what would be out there, especially with the job I do—what if it fell into the hands of the wrong person and was used against me?”
Under a Q&A section published on its website, Canopy Health said the hacker “may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes.” The company said it was “directly notifying potentially affected individuals” and added that it was “unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.” Patients concerned about the Canopy Health data breach were advised to contact their banks.
Second Health Data Incident Raises Wider Questions
The Canopy Health cyberattack comes amid heightened scrutiny of data security in the health sector. In late December, patient portal provider Manage My Health confirmed it had identified a separate security incident involving unauthorized access to its platform. The company said between 6 and 7 percent of its approximately 1.8 million registered users may have been affected.
Manage My Health later said more than half of impacted patients had received notification emails, and that unaffected users could see their status within the app. Of the roughly 125,000 patients affected by the ransomware attack, more than 80,000 are based in Northland—the only region where Health NZ uses Manage My Health to share hospital discharge summaries, outpatient clinic letters, and referral notifications with patients.
The operators of Manage My Health said they have received “independent confirmation” from IT experts that vulnerabilities in its code have now been fixed. Meanwhile, the fallout from the Canopy Health data breach and the broader Canopy Health cyberattack continues to raise serious questions about transparency, accountability, and the protection of patient data across the healthcare system.
