Canopy Healthcare has disclosed a cybersecurity incident that occurred on 18 July last year, saying an unauthorised party accessed an administrative server. The company announced the breach six months after the event as investigations continue to determine whether any data was copied.
Canopy said the access was limited to systems used by its administration team and did not affect clinical operations, electronic health record systems, patient services, appointments or medical records. All clinics continued to operate normally. The private company runs four diagnostic clinics, eight oncology clinics, two private breast surgical and diagnostic centres, and a drug compounding business.
After discovering the incident, Canopy said it acted immediately to contain the breach, secure its systems and engage independent cybersecurity experts to conduct a forensic investigation. The company notified the New Zealand Police and the Office of the Privacy Commissioner and obtained an urgent High Court injunction prohibiting the use or publication of any information that may have been accessed.
The investigation remains technically complex, and Canopy said there is uncertainty about exactly what data may have been accessed because of internal security controls. The company assessed that most likely exposed information is of low or no risk to individuals.
Canopy reported that a small number of bank account numbers provided for payment or refund purposes, and some staff identity information, may have been accessed. There is no evidence that patient identity documents were accessed. Affected individuals have been notified directly.
The company said it has not been contacted by the unauthorised party and has not identified who was responsible. It is not aware of any impact on the systems of other healthcare providers. Monitoring for any unauthorised use or distribution of data will continue, and the High Court injunction remains in place.
Leave a Reply