New Zealand’s health sector is dealing with another data breach, with Canopy Healthcare confirming unauthorised access to its systems six months after detection, adding to ongoing cyber risk considerations for insurers and healthcare organisations.
Canopy Healthcare outlines July 2025 incident
According to Stuff’s report, Canopy Healthcare, which owns several diagnostic and oncology services across the North Island, has written to patients about a cyber incident it identified on July 18, 2025. In its notice, the company said that on that date “an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team.” The company told patients that its core clinical operations and main clinical platforms continued without interruption. “All our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments, and medical records were not affected,” the company said.
Canopy Healthcare is the parent company of Canopy Imaging (formerly TRG Imaging), Absolutely Radiology, Canopy Cancer Care, and Auckland Breast Centre. Patients were informed they were being contacted because they had used one or more of these services and might have been affected by the incident. According to the notification, the information that may have been accessed includes some health-related data, such as names, contact details, and referral information. The company said it has not been contacted by any person or group claiming responsibility and is monitoring for signs of data misuse. “We have closely monitored, and will continue to do so, for any signs of illegal data sharing. We can confirm that there is no evidence of this occurring,” Canopy told patients.
Canopy has notified the New Zealand Police and the Office of the Privacy Commissioner and has obtained an urgent High Court injunction aimed at preventing the use or publication of any information that may have been accessed. A Ministry of Health spokesperson said the ministry does not regulate Canopy Healthcare because it is a private provider, but noted that it is required to comply with the Privacy Act 2020 and the Health Information Privacy Code.
Delay in notification draws scrutiny
The six-month gap between Canopy identifying unauthorised access and writing to patients has prompted concern from at least one patient and may be of interest to insurers examining notification timelines and governance practices. One patient, who asked not to be named, said she was unsettled by the delay. “I’m feeling really let down because it's taken six months for Canopy to let us know...” she told Stuff. She also highlighted differences between what was said in the patient email and information on Canopy’s website about whether banking data was involved.
In the email to patients, Canopy said there was “no indication that any credit card, banking information, or identity documents were affected.” However, the breach FAQ on the company’s website states: “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.”
The patient said the incident was particularly concerning given recent developments at the Manage My Health (MMH) patient portal. “Especially with the data breach at Manage My Health, I’m a registered user. I haven’t been contacted as potentially affected; however, I feel really nervous. Then to get this... I think we can all acknowledge hackers are getting very smart, and are getting more sophisticated. But six months? That’s my issue, that’s what I was shocked about,” the patient said. For insurers, brokers, and risk managers, the timing of disclosure and the consistency of messaging across email and online FAQs may be relevant when assessing governance arrangements, potential liability, and compliance with notification requirements.
Manage My Health incident illustrates wider exposure
The Canopy notification comes after a cyber incident at Manage My Health, a privately operated GP patient portal used by practices around New Zealand, which has attracted sustained attention in the sector. MMH disclosed in late December 2025 that it had experienced unauthorised access to its New Zealand application and health information. The incident involved ransomware, with attackers targeting the platform on Dec. 30 and accessing personal health documents for about 120,000 people. The group behind the attack initially demanded US$60,000 (about NZ$104,000) and began publishing files on the dark web, saying they would release “everything they have” if payment was not made within 48 hours, according to media reports.
In a Jan. 6 update, MMH said an independent forensic review found the incident was confined to the “My Health Documents” module of the platform. The company reported that approximately 6% to 7% of its roughly 1.8 million registered users had documents accessed. It said core modules – including appointments, prescriptions, and information in the Health Record function – had not been accessed, and that external security specialists had found no evidence of unauthorised access to those areas. MMH said it has engaged independent international forensic consultants and has begun phased notifications to affected users.
MMH also obtained an interim High Court injunction preventing any person from accessing, sharing, or publishing the stolen information and requiring deletion by anyone who holds it. Despite the order, the group linked to the attack has continued to post online, including the message “New 10 GB samples will be shared soon !!!”, indicating ongoing risk of data exposure.
Cyber loss patterns inform insurance response
These healthcare incidents are occurring at a time of increased financial losses from cyber events in New Zealand. In its Cyber Security Insights report for the quarter from July 1 to Sept. 30, 2025, the National Cyber Security Centre (NCSC) recorded 1,249 incident reports. While the number of incidents was similar to earlier periods, direct financial losses for the quarter rose to $12.4 million, compared with $5.7 million in the previous quarter. For underwriters and risk managers focused on the health sector, the Canopy and MMH incidents highlight several areas of interest:
For claims teams and brokers, these cases illustrate how cyber incidents can trigger multiple coverage questions across cyber, privacy liability, and possibly medical malpractice policies, including how forensic costs, notification expenses, legal response, and regulatory engagement are treated under policy wordings. As investigations, regulatory reviews, and any subsequent litigation develop, New Zealand insurers and intermediaries are expected to factor lessons from both incidents into underwriting decisions, risk assessments, and advice on cyber resilience and data governance for health sector clients.
Insurance Business NZ
