A breach at a Dutch laboratory has exposed the personal and medical data of more than 485,000 women in the national cervical cancer screening programme.
The attack hit Clinical Diagnostics NMDL, a Eurofins subsidiary in Rijswijk. The lab tests self-sample kits and smear test samples for Bevolkingsonderzoek Nederland (Population Research Netherlands).
Bad actors accessed names, addresses, dates of birth, citizen service numbers, possible test results, and the names of participants’ healthcare providers
The ICT systems of Population Research Netherlands were not compromised.
“We Are Extremely Shocked”
Elza den Hertog, chair of the board at Population Research Netherlands, said: “We are extremely shocked by this data breach and we understand that participants who participated through us in population research are, of course, also very shocked by this.”
She said for many, taking part in the cervical cancer screening programme is already a significant and sometimes daunting step, and to now be told that their personal data may also have been exposed makes it even more difficult.
Population Research Netherlands sets strict standards for the protection of participants’ data and makes clear agreements on this with the laboratories that it works with, den Hertzog continued.
“We deeply regret that this has now gone so wrong at one of the laboratories we work with. An independent investigation has therefore been launched into how this could have happened and how we can prevent these types of incidents as much as possible in the future,” she added.
An independent investigation has begun. Its focus: how the breach happened and how to stop it happening again.
Services Suspended
The hack took place between 3 and 6 July. Population Research Netherlands learned of it on 6 August.
Work with NMDL has been suspended until the lab can prove its systems are secure. Other laboratories have taken over test processing.
The breach does not affect test results already issued. Women who have been screened do not need to be tested again.
Breast and colon cancer screening programmes are also not affected. Their samples are handled by other laboratories.
Those affected will be contacted directly. The process will take time, given the size of the breach and the sensitivity of the data.
A limited number of email addresses and phone numbers were also accessed. Authorities warn that stolen data can be misused, and that participants should remain alert to phishing attempts or suspicious calls.
The Dutch government has published advice on protecting against fraud.
Programme Profile
Women aged 30 to 60 (in some cases up to 65) are invited to participate in cervical cancer screening. They can use a self-sampling kit or have a smear test at their GP. Samples are processed at one of three contracted laboratories.
Population Research Netherlands runs national screening programmes for breast, cervical, and colon cancer on behalf of the Ministry of Health, Welfare and Sport, working with GPs, hospitals, and other partners to detect cancer early.
The investigation is ongoing. NMDL will not handle new samples until it is complete.
Investing in Security
Dray Agha, senior manager of security operations at Huntress, commented: “This incident underscores the urgent importance for healthcare organisations to prioritise robust, foundational, and simple cybersecurity measures. Protecting sensitive personal and medical data is vital, not only to maintain patient trust but also to prevent potential harm that could arise from such breaches, including identity theft and misuse of health information.”
As threat actors grow increasingly sophisticated, Agha said, continuous investment in security, staff training, and proactive threat detection must be standard practice to defend against these types of large-scale compromises. “Security awareness training and detection and response capabilities are table stakes in 2025, to ward off the danger cyber criminals pose to organisations.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.