Canopy notified New Zealand Police and the Office of the Privacy Commissioner and obtained a High Court injunction to restrict any use or publication of data that may have been accessed. As a private provider, it is not regulated by the Ministry of Health but is subject to the Privacy Act 2020 and the Health Information Privacy Code. In its email, Canopy said there was “no indication that any credit card, banking information, or identity documents were affected.” On its website, however, the company stated: “The unauthorised party may have accessed a small number of bank account numbers, which had been provided to Canopy for payment or refund purposes. We are directly notifying potentially affected individuals.” For underwriters, the notification timeline and the differences between direct and online communications may be relevant when reviewing compliance with policy conditions on prompt notice of circumstances, regulatory engagement, and communication with affected parties, as well as any potential for class or representative claims.
