Update: Information regarding cyber incident. (January 2026)

Canopy Healthcare’s Cyber Response  

Information and Update 
Updated - January 2026

The cyber incident experienced by Canopy Healthcare last July has not affected any of its clinics, appointments, client electronic health records or patient management systems. 

Our notification processes commenced immediately at the outset of this incident and has continued in the proceeding months and remains a priority for us. 

We acknowledge and apologise for any distress this situation may have caused. Protecting personal and health information is a responsibility we take very seriously. 

We’ve been contacting potentially affected individuals based on verification processes from cyber security experts and in line with legislation and guidance from the Office of the Privacy Commissioner and Privacy Act. 

Due to the complexity and nature of the incident, it also took time to ascertain whether individuals may have been potentially affected. 

As soon as that information was verified, we communicated with potentially affected individuals over the past few months, with the final group notified this month. 

We also acted immediately to secure Canopy’s systems and confirm its ongoing safety. 

We promptly notified and updated relevant authorities, including the Office of the Privacy Commissioner, New Zealand Police and Health NZ, as well as staff, clinics and partners. 

A High Court injunction was secured in July 2025 prohibiting the disclosure or misuse of any accessed information by any person. The prohibition is ongoing. 

Potentially impacted individuals have also been offered the opportunity to request a call back with a Canopy team member.

We want to reassure our community of the following: 

  • Clinical operations remain unaffected. All Canopy clinics and patient services continue to operate as normal and patient appointments remain unaffected. Our systems are stable and functioning securely. 
  • The incident has been contained. We acted immediately to safeguard and protect information and our systems. 
  • The investigation is ongoing. We are actively assessing the nature and scope of the data that may have been accessed or copied. This includes identifying any potentially impacted information and individuals. 
  • No impact to other providers. At this time, we are not aware of any effects on the systems of other healthcare providers or services. 
     

Frequently Asked Questions (FAQs)

What has happened?

On 18 July 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team.   

All our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments and medical records were not affected.  

Who is Canopy Healthcare and why have I been notified?

Canopy Healthcare is the parent company of Canopy Imaging (formerly TRG Imaging), Absolutely Radiology, Canopy Cancer Care and Auckland Breast Centre.

If you have been notified, it is because our records show that you have accessed one of our services in the past and may have been impacted by the cyber event experienced by Canopy Healthcare. 

What steps has Canopy Healthcare taken?

The company acted with urgency and took immediate steps to contain the incident and further secure our information systems.  
We confirmed that the incident was contained in a specific administrative folder and did not affect any of our clinics, patient services, electronic health record systems, appointments and medical records.  
In addition to immediately securing our systems, we worked with independent cyber experts to respond to the incident and understand what data may have been affected. We also applied for and obtained an urgent injunction from the High Court to prevent use or publication of any information that may have been accessed and notified the NZ Police and the Office of the Privacy Commissioner. 

What data may have been affected?

Canopy’s cyber team have been working hard to identify the data that may have been impacted in the incident so that we could directly contact individuals potentially affected.


This has been a technically complex and time-consuming process, that has involved the use of specialist tools. Due to the nature of the breach and the internal security controls in place to protect the data, there continues to be some uncertainty as to the exact data that may have been accessed. However, our assessment confirms that most information potentially affected was likely to be of very low or no risk to individuals. 


In instances where some patient or staff information may have been accessed, we are contacting those individuals directly.  

Has the data been misused or leaked online?

Following the event, Canopy cyber experts immediately commenced monitoring for the unauthorised use or distribution of potentially affected data. 
At this stage, we are not aware of there being any evidence that any of the potentially affected information has been shared or posted online.  
We will continue this monitoring for the foreseeable future.  
The High Court injunction prohibiting use or publication of any potentially accessed data will remain permanently in place. 

Who caused this event?

Despite rigorous investigation, we have not been able to confirm who was responsible.  


To date, Canopy has not been contacted by the unauthorised party.  
We have referred the matter to the New Zealand Police. 

Is my identity at risk?

It is unlikely that your identity is at risk. However, we continue to recommend caution – not only due to this incident but also as cyber incidents more broadly continue to rise.  

The following sites provide useful information on how you can stay cyber safe: 

Please take care when receiving emails or texts that seem unusual or ask for sensitive information or password resets. 
If you get a message you weren’t expecting, especially one asking for payment or personal details, it’s best not to reply. Verify the request through a trusted source before responding. 
If something doesn’t look right, you can let the NZ Police know using theirFraud/Scam/Cyber page. 
Canopy requests for information or payment will only be made using a Canopy Healthcare email address such as canopyhealthcare.co.nz, canopycancercare.co.nz, canopyimaging.co.nz, iMIX.co.nz or absolute.co.nz.

Have they got my bank account details?

The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes.

It is unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.  


However, if you are concerned, please contact your bank. 

Were credit cards affected?

No credit cards were affected. 

Were any of my identity documents affected?

There is no evidence of any identity documents being affected for patients. 
There have been some instances of staff identity information potentially being affected, and we have notified those staff to provide support.  

What do I do if my passport may have been affected?

New Zealand passports are considered highly secure and are protected by robust identity verification and anti-fraud measures.
There is currently no requirement to replace a New Zealand passport involved in a data breach due to the high security standards in New Zealand.  

However, you can add an alert to your passport record at this website: Declare your New Zealand passport lost, stolen, damaged or involved in a data breach or scam 

If you place an alert, this means that extra security checks will be done if your passport details appear on a passport, citizenship, or RealMe Verified Identity application. You can continue to use your passport for travel up until the expiry date. 

Why are you contacting me now?

Canopy acted immediately to contain the incident and determine what information may have been affected with assistance from industry experts. 

Our notification processes commenced immediately at the outset of this incident and has continued in the proceeding months and remains a priority for us.

We’ve been contacting potentially affected individuals based on verification processes from cyber security experts and in line with legislation and guidance from the Office of the Privacy Commissioner and Privacy Act.

Due to the complexity and nature of the incident, it also took time to ascertain whether individuals may have been potentially affected.

As soon as that information was verified, we communicated with potentially affected individuals.

Why do you have my information?

Canopy retains information to provide ongoing care, meet legal and regulatory requirements, and ensure the safety and quality of our services. 

What is being done to prevent this from happening again?

Cybercrime is evolving rapidly, and Canopy took immediate steps to contain the incident and further secure information systems.   
 
We are also working with others in the healthcare sector to advance cybersecurity standards, share insights from this incident, and strengthen collective resilience across the industry. 

What support is available?