Photo: Gorodenkoff Productions OU/Getty Images
Canopy Healthcare, an oncology and diagnostic imaging provider in New Zealand, experienced a cybersecurity incident in July, saying that an unauthorised party accessed an administrative server while investigations are underway to determine whether any data was copied.
The unauthorised access occurred on 18 July last year and was limited to systems used by the company's administration team, Canopy said in a media release on Monday.
The private company stressed the incident did not affect clinical operations, EHR systems, patient services, appointments, or medical records, and that all clinics continued operating as normal. It runs four diagnostic clinics, eight oncology clinics, two private breast surgical and diagnostic centres, and a drug compounding business.
Following the discovery, Canopy said it acted immediately to contain the incident, secure its systems, and engage independent cybersecurity experts to conduct a forensic investigation.
The company also notified the New Zealand Police and the Office of the Privacy Commissioner and obtained an urgent High Court injunction prohibiting the use or publication of any information that may have been accessed.
Canopy shared that the investigation remains technically complex, with some uncertainty over exactly what data may have been accessed due to internal security controls, although most likely exposed information is assessed as being of "low or no risk" to individuals.
It noted that a small number of bank account numbers provided for payment or refund purposes, as well as some staff identity information, may have been accessed, while there is no evidence that patient identity documents were touched. Affected individuals were notified directly.
Canopy said it has not been contacted by the unauthorised party, nor has it been able to identify who was responsible. It is also unaware of any impact of the breach on the systems of other healthcare providers.
Monitoring for any unauthorised use or distribution of data will continue, with the High Court injunction remaining permanently in place, it added.
THE LARGER CONTEXT
Another private company, Manage My Health, which operates a widely used patient portal in New Zealand, recently disclosed a hack on its system before the New Year, which leaked data of up to 126,000 individuals over the dark web. Hackers reportedly asked for a NZ$104,000 ($60,000) ransom. The New Zealand Ministry of Health already commissioned a review of the cyber incident and the company's response.
_
Editor's note: The original lede of this article mentioned Canopy disclosing the cyber breach six months after it occurred. It has since been corrected to avoid confusion.
