Full Report
On 18 July 2025, Canopy Healthcare identified that an unknown person temporarily obtained unauthorised access to a part of our systems used by our administration team. All our services continued to operate as normal. Our clinics, patient services, electronic health record systems, appointments and medical records were not affected. Following a thorough forensic review by our cybersecurity experts, we have been advised that unauthorised access to one of our servers likely occurred, and some data may have been copied.
Analysis Summary
# Incident Report: Unauthorized Access to Canopy Healthcare Administration Systems
## Executive Summary
On July 18, 2025, Canopy Healthcare identified unauthorized temporary access to a portion of its administrative systems. Forensic review confirmed a likely server breach where some data may have been copied. Clinical operations, patient records, and primary healthcare services remained unaffected throughout the incident. Response actions included immediate containment, engaging cyber experts, obtaining a High Court injunction, and notifying regulatory bodies.
## Incident Details
- **Discovery Date:** 18 July 2025
- **Incident Date:** On or around 18 July 2025
- **Affected Organization:** Canopy Healthcare (Parent company of Canopy Imaging, Absolutely Radiology, Canopy Cancer Care, and Auckland Breast Centre)
- **Sector:** Healthcare
- **Geography:** New Zealand (Implied by NZ Police/Privacy Commissioner notification)
## Timeline of Events
### Initial Access
- **Date/Time:** Identified on 18 July 2025. The exact start time is not specified.
- **Vector:** Unknown. Described only as "unauthorised access to a part of our systems used by our administration team."
- **Details:** Access was limited to specific administrative systems; clinical and patient-facing systems were isolated.
### Lateral Movement
- **Details:** Forensic review suggested unauthorized access likely occurred to "one of our servers." The scope of movement outside the initial administrative area is not detailed, but a specific administrative folder was confirmed as contained.
### Data Exfiltration/Impact
- **Details:** Cybersecurity experts advised that "some data may have been copied." The exact nature and volume of potentially affected data are complex to ascertain but are being actively investigated. Most affected information is assessed to be of low or no risk.
### Detection & Response
- **Details:** Canopy Healthcare identified the issue and acted immediately to contain the incident, safeguarding information systems. They engaged independent cyber experts, notified the NZ Police and the Office of the Privacy Commissioner, and obtained an urgent High Court injunction to prohibit the use or publication of accessed data.
## Attack Methodology
*(Note: Since the article does not specify TTPs, the assessment below reflects the known compromise level.)*
- **Initial Access:** Unknown (Presumed credential compromise, exploitation of an external-facing administrative server, or social engineering).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Likely involved internal reconnaissance focused on administrative servers.
- **Lateral Movement:** Confirmed access to "one of our servers" within the administrative system segment.
- **Collection:** Data was collected, with experts confirming "some data may have been copied."
- **Exfiltration:** Data was potentially copied, but no evidence of public sharing/leak has been found to date.
- **Impact:** Minimal operational impact; potential privacy impact due to administrative data exposure.
## Impact Assessment
- **Financial:** Not detailed.
- **Data Breach:** Unconfirmed patient or staff information may have been accessed/copied, specifically within the administrative systems. The impact is assessed as mostly "very low or no risk" to individuals.
- **Operational:** **None reported.** Clinics, patient services, EHR systems, appointments, and medical records operated normally throughout. The incident was contained to an administrative section.
- **Reputational:** Public disclosure issued; ongoing communication through an investigation update (January 2026).
## Indicators of Compromise
- **Network indicators:** None provided (No defanged IPs/URLs available).
- **File indicators:** None provided.
- **Behavioral indicators:** Temporary, unauthorized access to administrative servers.
## Response Actions
- **Containment:** Immediate action taken to safeguard and protect information and systems. Confirmed containment to a specific administrative folder.
- **Eradication:** Not detailed, but implied through system securing measures.
- **Recovery:** Systems deemed stable; ongoing complex forensic analysis to determine exact scope of data loss.
## Lessons Learned
- The existing segregation between clinical/patient systems and administrative systems proved effective in preventing disruption to core patient services.
- Forensic analysis following data access in complex environments can be technically complex and time-consuming, requiring specialist tools.
- Immediate legal action (High Court injunction) was leveraged to proactively mitigate potential harm from data exposure.
## Recommendations
- Conduct a full audit of access controls and authentication mechanisms specifically governing the administrative server segment to identify the initial access vector.
- Enhance monitoring and logging specifically on non-clinical servers to improve detection capabilities for unauthorized data staging/collection activities.
- Review and document data retention policies for administrative access logs to facilitate faster forensic timelines in future incidents.