According to healthcareitnews.com, Canopy Healthcare, an oncology and diagnostic imaging provider in New Zealand, has disclosed a cybersecurity incident around six months after it happened, confirming that an unauthorised party accessed an administrative server while investigators work to determine whether any information was copied.
Canopy said the unauthorised access occurred on 18 July last year and was confined to systems used by the company’s administration team, as outlined in a media release issued on Monday.
The privately owned provider emphasised that the event did not disrupt clinical operations, EHR systems, patient services, appointments, or medical records, and that all clinics continued running normally. Canopy operates four diagnostic clinics, eight oncology clinics, two private breast surgical and diagnostic centres, and a drug compounding business.
After the incident was identified, the company said it moved quickly to contain the intrusion, strengthen security, and bring in independent cybersecurity specialists to conduct a forensic review.
Canopy also reported the matter to New Zealand Police and the Office of the Privacy Commissioner, and secured an urgent High Court injunction prohibiting the use or publication of any information that may have been accessed.
The organisation said the investigation remains technically complex, and that its own internal security controls mean there is still uncertainty about precisely what data may have been accessed. However, it assessed the most likely exposure as “low or no risk” to individuals.
It added that a small number of bank account numbers supplied for payment or refund purposes, along with some staff identity information, may have been accessed, while there is no indication that patient identity documents were affected. People believed to be impacted were contacted directly.
Canopy said it has not been contacted by the unauthorised party and has not yet been able to identify who was responsible. It also said it is not aware of any effect on other healthcare providers’ systems.
Monitoring for any unauthorised use or distribution of information will continue, and the High Court injunction will remain permanently in place, the company said.