Inspectorate to investigate laboratory after data breach affecting 485,000 women

The Health and Youth Care Inspectorate (IGJ) is going to investigate the laboratory Clinical Diagnostics in Rijswijk. Hackers recently stole data from more than 485,000 women who participated in the cervical cancer screening program. The investigation is focusing on information security, the inspectorate reported on Friday.

The timing and approach of the investigation are being closely coordinated by the IGJ with the Dutch Data Protection Authority (AP). The privacy regulator announced last week that it would be looking into the data theft. Partly in response to the risks revealed by this hack, the IGJ will also take a broader look at information security in laboratories.

At Clinical Diagnostics, smears and self-tests from individuals were analyzed on behalf of the National Screening Program Netherlands. The hackers stole personal data, including names, addresses, and cities of residence, as well as dates of birth, social security numbers (BSN), test results, and the names of healthcare providers.

In a surprising development, the cybercriminal group responsible for the hack, Nova, has promised not to publish the stolen private data. “I want to reassure patients that their data have been deleted under the first deal,” the group wrote to RTL Nieuws. Earlier this week, Nova had threatened to sell the data to other criminals.

Data from people who underwent tests via hospitals or general practitioners, including tests for urine, skin, or the penis, were also discovered on the Dark Web. RTL Nieuws found that data from 53,516 patients had been shared, totaling around 100 megabytes. The leak even included information about a minister and a member of parliament.

The hackers emphasized on Friday that only a small part of the stolen data had been published on the Dark Web. "And that has now also been deleted." RTL Nieuws confirmed that the data cannot be found.

Over 405,000 women who took part in the cervical cancer screening program received letters this week notifying them that their data had been leaked. They were warned to be extra alert to fraud during this time. For 80,000 people, information was missing, meaning the National Screening Program Netherlands could not yet provide them with confirmation. The organization has requested additional information from the laboratory.

Caretaker Minister of Health, Welfare and Sport, Danielle Jansen, said prior to the weekly council of ministers’ meeting on Friday that the women in question “should be cautious” now that their data is in the hands of criminals. “By conducting more research now, we hope to provide even greater assurance in the future that data are secure.” According to the NSC minister, the insights gained could potentially lead to “targeted measures.”

The minister is also having researchers “on the sidelines” examine the laboratories that took over the work of the hacked lab, “to make sure everything is in order.”