Dutch watchdog says healthcare lab failed data security rules before cyberattack

The Dutch Health and Youth Care Inspectorate (IGJ) has concluded that Clinical Diagnostics failed to adequately protect its data before last year’s cyberattack. During the breach, hackers obtained the medical records of hundreds of thousands of women who had taken part in cervical cancer screening tests.

The organisation said the laboratory failed to meet mandatory legal standards. Among other shortcomings, its cybersecurity measures had not undergone an independent review. Clinical Diagnostics also had not carried out a proper risk assessment, meaning it was unable to identify which safeguards were needed to secure sensitive information.

Had the lab followed the rules properly, this “could have reduced the likelihood of a major data breach and limited its consequences,” the inspectorate said.

The ransomware group “Nova” was behind the attack in July 2025. They demanded a ransom of about 1.1 million euros in cryptocurrency and still published parts of the stolen data on the dark web.

The IGJ investigated whether Clinical Diagnostics followed healthcare data-processing laws when handling personal information. While the inspectorate itself cannot issue fines, the Dutch Data Protection Authority can. The Dutch privacy regulator is separately investigating whether the lab adhered to European data protection rules.

The scale of the data breach turned out to be significantly greater than first believed. While initial estimates suggested 485,000 victims, cybercriminals are now believed to have obtained the personal information of over 850,000 individuals.

Dutch prosecutors and police are carrying out a criminal investigation into the data breach, with 118 formal complaints submitted so far. Meanwhile, personal injury attorneys are organising large-scale compensation claims representing tens of thousands of women impacted by the leak.