Canopy Healthcare, a New Zealand provider of oncology and diagnostic imaging services, disclosed a cybersecurity incident six months after an unauthorised party accessed an administrative server on 18 July last year. The company said investigations are ongoing to determine whether any data was copied.
The access was limited to systems used by the administration team and did not affect clinical operations, electronic health record systems, patient services, appointments or medical records, Canopy said in a media release on Monday. All clinics continued operating as normal. Canopy operates four diagnostic clinics, eight oncology clinics, two private breast surgical and diagnostic centres, and a drug compounding business.
Canopy said it acted immediately after discovery to contain the incident, secure its systems and engage independent cybersecurity experts to conduct a forensic investigation. The company notified the New Zealand Police and the Office of the Privacy Commissioner and obtained an urgent High Court injunction prohibiting the use or publication of any information that may have been accessed.
The investigation remains technically complex, and Canopy said there is some uncertainty about exactly what data may have been accessed because of internal security controls. The company assessed that most likely exposed information is of low or no risk to individuals.
Canopy said a small number of bank account numbers provided for payment or refund purposes and some staff identity information may have been accessed, while there is no evidence that patient identity documents were accessed. Affected individuals were notified directly.
The company has not been contacted by the unauthorised party and has not identified who was responsible. It is not aware of any impact on the systems of other healthcare providers. Monitoring for any unauthorised use or distribution of data will continue, and the High Court injunction remains in place.
Leave a Reply