Hackers Breach Cervical Cancer Data of Nearly 500,000 Women

Nearly 500,000 women in the Netherlands have had their medical data compromised in a significant cyberattack. The breach involved data collected from participants in a mass screening program for cervical cancer, with the sensitive information stored at Clinical Diagnostics, a laboratory based in Rijswijk, near The Hague. The incident was reported by the Dutch population screening bureau, known as Bevolkingsonderzoek Nederland.

The stolen data spans from 2022 to early 2023 and includes personal details such as names, addresses, dates of birth, and social security numbers. In addition, the breach exposed detailed test results and follow-up medical advice provided by healthcare professionals. Bevolkingsonderzoek Nederland indicated that the breach occurred last month, but it was only last week that both the affected women and the bureau were informed.

This delay has drawn sharp criticism. Elza den Hertog, the national chair of Bevolkingsonderzoek Nederland, expressed outrage at the timeline, calling it “shocking and reprehensible” that women remained uninformed about the breach for so long. Under the European Union’s General Data Protection Regulation (GDPR), organizations are required to notify affected individuals and data protection authorities within 24 hours of discovering a data breach.

Clinical Diagnostics attempted to justify the delay, stating it wanted to ensure it had taken appropriate steps before making any announcements. Despite this explanation, Bevolkingsonderzoek Nederland has suspended all collaborations with the laboratory until assurances are provided that new tests can be conducted securely.

Den Hertog publicly apologized, describing the situation as “a nightmare scenario.” She noted that the organization had been actively campaigning to encourage women to participate in cervical screening tests, stating, “We were getting there with our campaign, but now these women’s data is in the hands of criminal third parties. We are extremely sorry about that.”

In response to the breach, caretaker Health Minister Danielle Jansen has ordered an independent investigation to assess the extent and impact of the intrusion. Reports indicate that the scale of the breach could be broader than initially anticipated. Data from other tissue samples and urine tests conducted at institutions such as Leiden University Medical Centre and Alrijne and Amphia hospitals has also been reportedly stolen.

Adding to the concerns, Z-Cert, the healthcare cybersecurity center, has confirmed that some of the stolen data has appeared on the dark web. Currently, approximately 100 megabytes of the total 300 gigabytes of stolen data has been posted online, affecting around 53,516 patients.

As this situation unfolds, the impact on the women involved and the healthcare system in the Netherlands remains a significant concern, underscoring the urgent need for robust cybersecurity measures to protect sensitive medical information.