Update: Information regarding cyber incident. (December 2025)

Canopy Healthcare’s Cyber Response  

Information and Update 
December 2025

On 18 July 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our information systems used by our administration team.   

All our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments and medical records were not affected. 

Following a thorough forensic review by our cybersecurity experts, we have been advised that unauthorised access to one of our servers likely occurred, and some data may have been copied. 

We want to reassure our community of the following: 

  • Clinical operations remain unaffected. All Canopy clinics and patient services continue to operate as normal and patient appointments remain unaffected. Our systems are stable and functioning securely. 
  • The incident has been contained. We acted immediately to safeguard and protect information and our systems. 
  • The investigation is ongoing. We are actively assessing the nature and scope of the data that may have been accessed or copied. This includes identifying any potentially impacted information and individuals. 
  • No impact to other providers. At this time, we are not aware of any effects on the systems of other healthcare providers or services. 
     

Frequently Asked Questions (FAQs)

What has happened?

In 18 July 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our information systems used by our administration team.    
All our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments and medical records were not affected.  

What steps has Canopy Healthcare taken?

The company acted with urgency and took immediate steps to contain the incident and further secure our information systems.  
We confirmed that the incident was contained in a specific administrative folder and did not affect any of our clinics, patient services, electronic health record systems, appointments and medical records.  
In addition to immediately securing our systems, we worked with independent cyber experts to respond to the incident and understand what data may have been affected. We also applied for and obtained an urgent injunction from the High Court to prevent use or publication of any information that may have been accessed and notified the NZ Police and the Office of the Privacy Commissioner. 

What data may have been affected?

Canopy’s cyber team have been working hard to identify the data that may have been impacted in the incident so that we could directly contact individuals potentially affected  
This has been a technically complex and time-consuming process, that has involved the use of specialist tools. Due to the nature of the breach and the internal security controls in place to protect the data, there continues to be some uncertainty as to the exact data that may have been accessed. However, our assessment confirms that most information potentially affected was likely to be of very low or no risk to individuals. 
In instances where some patient or staff information may have been accessed, we are contacting those individuals directly.  

Has the data been misused or leaked online?

Following the event, Canopy cyber experts immediately commenced monitoring for the unauthorised use or distribution of potentially affected data. 
At this stage, we are not aware of there being any evidence that any of the potentially affected information has been shared or posted online.  
We will continue this monitoring for the foreseeable future.  
The High Court injunction prohibiting use or publication of any potentially accessed data will remain permanently in place. 

Who caused this event?

Despite rigorous investigation, we have not been able to confirm who was responsible.  
To date, Canopy has not been contacted by the unauthorised party.  
We have referred the matter to the New Zealand Police. 

Is my identity at risk?

It is unlikely that your identity is at risk. However, we continue to recommend caution – not only due to this incident but also as cyber incidents more broadly continue to rise.  

The following sites provide useful information on how you can stay cyber safe: 

Please take care when receiving emails or texts that seem unusual or ask for sensitive information or password resets. 
If you get a message you weren’t expecting, especially one asking for payment or personal details, it’s best not to reply. Verify the request through a trusted source before responding. 
If something doesn’t look right, you can let the NZ Police know using theirFraud/Scam/Cyber page. 
Canopy requests for information or payment will only be made using a Canopy Healthcare email address such as canopyhealthcare.co.nz, canopycancercare.co.nz, canopyimaging.co.nz, iMIX.co.nz or absolute.co.nz.

Have they got my bank account details?

The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.  
It is unlikely the threat actor can take significant action with these details, as sensitive bank account information is highly protected.  
However, if you are concerned, please contact your bank. 

Were credit cards affected?

No credit cards were affected. 

Were any of my identity documents affected?

There is no evidence of any identity documents being affected for patients. 
There have been some instances of staff identity information potentially being affected, and we have notified those staff to provide support.  

What do I do if my passport may have been affected?

New Zealand passports are considered highly secure and are protected by robust identity verification and anti-fraud measures.
There is currently no requirement to replace a New Zealand passport involved in a data breach due to the high security standards in New Zealand.  

However, you can add an alert to your passport record at this website: Declare your New Zealand passport lost, stolen, damaged or involved in a data breach or scam 

If you place an alert, this means that extra security checks will be done if your passport details appear on a passport, citizenship, or RealMe Verified Identity application. You can continue to use your passport for travel up until the expiry date. 

Why are you contacting me now?

Canopy acted immediately to contain the incident and determine what information may have been affected with assistance from industry experts. 
Due to the nature of the breach and the internal security controls in place to protect the data, this analysis has been complex and has required the use of leading-edge tools. There continues to be some uncertainty as to the precise data and individuals that may have been affected.  
However, out of an abundance of caution, we are writing to individuals who may have been affected, so that they are informed and also can receive further advice or support.  

Why do you have my information?

Canopy retains information to provide ongoing care, meet legal and regulatory requirements, and ensure the safety and quality of our services. 

What is being done to prevent this from happening again?

Cybercrime is evolving rapidly, and Canopy took immediate steps to contain the incident and further secure information systems.   
 
We are also working with others in the healthcare sector to advance cybersecurity standards, share insights from this incident, and strengthen collective resilience across the industry. 

What support is available?