Gisborne client frustrated with six-month delay in notice for Canopy Healthcare data breach

Canopy Healthcare runs Canopy Imaging (formerly TRG Imaging) next to Three Rivers Medical Centre in Gisborne. The company had a data breach in July, which some clients were only informed of last week. Photo / James Pocock

A Gisborne woman is frustrated it took six months for clients like herself to be informed of a cybersecurity breach affecting screening clinics.

Patient records, passport information and bank account details were affected in a “cyber incident” experienced by service provider Canopy Healthcare in July last year.

Canopy describes itself as “the largest private medical oncology provider in New Zealand”.

It runs Canopy Imaging (formerly TRG Imaging) next to Three Rivers Medical Centre in Gisborne.

In a post to its website, dated January 2026, the company said an unknown person temporarily obtained unauthorised access to a part of its systems used by the administration team on July 18.

“The company acted with urgency and took immediate steps to contain the incident and further secure our information systems. We confirmed that the incident was contained in a specific administrative folder and did not affect any of our clinics, patient services, electronic health record systems, appointments and medical records,” Canopy said.

“There continues to be some uncertainty as to the precise data and individuals that may have been affected.

“At this stage, we are not aware of there being any evidence that any of the potentially affected information has been shared or posted online.”

The company said it notified people where its records showed they had accessed one of its services in the past.

Canopy said it notified the Privacy Commissioner and police at the time of the attack.

It had also obtained an urgent injunction from the High Court to prevent the use or publication of any information that may have been accessed.

“We have not been able to confirm who was responsible. To date, Canopy has not been contacted by the unauthorised party. We have referred the matter to the New Zealand Police.”

A client of the Gisborne-based screening facility, Kristine Walsh, received an email notifying her about the incident on January 12.

The email said “the data accessed may have included some health-related information such as your name, contact details and referral information".

“There is no indication that any credit card, banking information or identity documents were affected.”

Walsh was frustrated by the time delay between the incident and notification.

“It’s not the breach that’s annoying because these things happen. It is the fact that it took them six months to notify me,” she said.

Responding to Gisborne Herald queries, Canopy said, in a statement, the incident had not affected any of its clinics, appointments, client electronic health records or patient management systems, including those in Gisborne.

“Due to the complexity and nature of the incident, it took time to ascertain whether individuals may have been potentially affected. That includes for the patients at the Three Rivers centre. As soon as that information was verified, we have communicated with potentially affected individuals over the past few months, with the final group notified last week,” the statement read.

Canopy said it could not give information on the exact number of people affected by the data breach.

In another healthcare-related cybersecurity incident that came to light on December 30, about 127,000 patients had their medical files accessed in a ransomware breach of the Manage My Health portal for GPs.

Health Minister Simeon Brown earlier told the NZ Herald: “The Privacy Act 2020 and the Health Information Privacy Code set out requirements that Canopy Healthcare is obligated to comply with.

“While the Ministry of Health does not have regulatory authority over Canopy Healthcare as it is a private company, the review I have commissioned of Manage My Health will consider lessons that can be applied to strengthen the protection of patient data.”