In a post to its website, dated “January 2026″, the company said a “small” amount of data was copied.
“There continues to be some uncertainty as to the precise data and individuals that may have been affected,” Canopy said.
“At this stage, we are not aware of there being any evidence that any of the potentially affected information has been shared or posted online,” the company said.
“On July 18, 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team.
“In instances where some patient or staff information may have been accessed, we are contacting those individuals directly.”
‘Not happy’ at delay
One patient, who did not wish to be named, forwarded the Herald a copy of a letter sent by Canopy on December 12.
It included the line, “As a precaution, we are letting you know that the data accessed may have included some health-related information such as your name, contact details, referral request or radiology report information.”
The patient said they were “not happy” to get the notification in December, given the breach took place on July 18.
A Canopy spokesperson said in a statement: “We’ve been contacting potentially affected individuals based on verification processes from cyber security experts and in line with legislation and guidance from the Office of the Privacy Commissioner.
“Due to the complexity and nature of the incident, it also took time to ascertain whether individuals may have been potentially affected.
“As soon as that information was verified, we communicated with potentially affected individuals over the past few months, with the final group notified this week.”
Some customers’ bank account numbers accessed
Canopy explained in its online post: “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.”
The message also said: “There have been some instances of staff identity information potentially being affected, and we have notified those staff to provide support.”
Canopy advised those whose passport information had been compromised could add an “alert” to their record via the Ministry of Internal Affairs.
“No credit cards were affected,” it clarified.
Canopy said its operations and services continued as normal.
“Despite rigorous investigation, we have not been able to confirm who was responsible,” it said.
“To date, Canopy has not been contacted by the unauthorised party.”
Canopy said it notified the Privacy Commissioner and Police at the time of the attack.
It had also obtained an urgent injunction from the High Court to prevent use or publication of any information that may have been accessed.
The company has been approached for comment.
Canopy’s public statement follows the December 30 revelation that some 127,000 patients had their medical files accessed in a ransomware breach of the Manage My Health portal for GPs.
Security experts said they found flaws in Manage My Health’s technical setups, while questions have also been raised about governance and government oversight of private providers.
Health Minister Simeon Brown told the Herald in a statement: “The Privacy Act 2020 and the Health Information Privacy Code set out requirements that Canopy Healthcare is obligated to comply with.
“While the Ministry of Health does not have regulatory authority over Canopy Healthcare as it is a private company, the review I have commissioned of Manage My Health will consider lessons that can be applied to strengthen the protection of patient data.”
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
