Patients are expressing significant outrage after Canopy Health waited six months to disclose a major cyber attack that compromised their personal information. The leading private oncology provider revealed that while the breach occurred in July 2025, many affected individuals only received notification in mid-December or early January.

Canopy Health, the largest private provider of breast cancer diagnosis and treatment in the country, recently disclosed that an unauthorized individual gained access to administrative servers in mid-July 2025. Following a forensic investigation, the company confirmed that data was likely copied during the event. Despite the sensitivity of medical and personal records, the organization waited until this week to provide a public update and began sending out individual notification letters months after the initial discovery.

The delay has sparked a wave of anger among patients who feel their privacy was compromised without their knowledge. One woman, who accessed services through the national breast screening program, labeled the six-month silence as outrageous and noted that her confidence in the country's health data security had reached an all-time low. Others expressed concern that their information could have been used against them in the months leading up to the disclosure, arguing that the delayed communication left them unable to take protective measures.

Discrepancies in the company’s communication have added to the frustration of those affected. While some notification emails suggested that financial documents were not impacted, the company’s official website admitted that hackers may have accessed a small number of bank account numbers used for payments and refunds. This perceived inconsistency has led patients to question the transparency and accuracy of the information being provided by the healthcare provider.

The scope of the breach is particularly concerning given Canopy Health's extensive network, which includes twenty-four diagnostic clinics and multiple oncology and surgical centers. Many patients were referred to these private clinics through government-funded programs, meaning the breach affects a broad demographic of individuals seeking essential cancer screenings and treatments. Some patients who also use other health management platforms noted that the slow response appears to be a systemic failure in data security and communication across the sector.

As the investigation into the cyber attack continues, Canopy Health maintains that the incident has been contained and that it is unlikely the stolen data can be used for significant identity theft. However, many patients remain unconvinced and are calling for greater accountability regarding how their sensitive medical information is protected. Both Health NZ and Canopy Health have been approached for further comment as the public reaction to the delayed notification grows.

Source: Second Health Provider Canopy Health Hit In Major Cyber Attack