Hackers steal cervical cancer data of almost 500,000 women in Netherlands

Anger at delay in alerting patients to breach as medical details emerge on ‘dark web’

The data includes names, addresses and social security numbers as well as test results. File photograph: iStock
The data includes names, addresses and social security numbers as well as test results. File photograph: iStock

Hackers have stolen the medical data of almost 500,000 women who took part in mass screening for cervical cancer in the Netherlands.

The information was with a clinical laboratory paid to analyse the data, the Dutch population screening bureau said.

The data, which covers a period from 2022 to this year, included names, addresses, dates of birth and social security numbers of the women as well as detailed test results and follow-on medical advice from doctors.

The information was stolen from Clinical Diagnostics, a lab in Rijswijk, near The Hague, early last month, the screening bureau said.

However, the patients and the bureau itself were only alerted last week.

The bureau, Bevolkingsonderzoek Nederland, reacted angrily to that delay, saying it was “shocking and reprehensible” that the 485,000 women who needed to know immediately were only now being told by letter.

Under European Union data protection regulations known as GDPR, institutions are obliged to inform those directly affected, as well as the data protection authorities, within 24 hours of becoming aware of a data breach.

Clinical Diagnostics tried to explain the delay by saying it wanted to make sure it “took the right steps” in the aftermath.

Despite that, the screening bureau has suspended all dealings with the clinic – one of six specialising in clinical chemistry, medical microbiology, molecular diagnostics and genomics in the Netherlands – until it receives a guarantee that new tests can be processed securely.

The bureau’s national chair, Elza den Hertog, went on TV to apologise and to try to reassure the public, describing the theft of data as “a nightmare scenario” – particularly since her organisation had been campaigning hard to persuade woman to take the cervical screening test.

“We were getting there with our campaign”, she said.

“But now these women’s data is in the hands of criminal third parties. We are extremely sorry about that.”

Caretaker health minister Danielle Jansen has ordered an independent investigation.

As she did so, however, it emerged that scale of the intrusion could be worst than first feared.

Data relating to tests on other tissue samples and on urine, carried out at hospitals such as Leiden University Medical Centre and Alrijne and Amphia hospitals, has also been stolen.

In addition, Z-Cert, the healthcare cybersecurity centre, said it had already found data from Clinical Diagnostics on the “dark web”, a hidden part of the internet that requires specific software to access.

A total of 100 megabytes of the 300 gigabytes of data stolen has been posted there to date – the equivalent of the data of about 53,516 patients.

  • Join The Irish Times on WhatsApp and stay up to date

  • Sign up for push alerts to get the best breaking news, analysis and comment delivered directly to your phone

  • Listen to In The News podcast daily for a deep dive on the stories that matter

Peter Cluskey

Peter Cluskey

Peter Cluskey is a journalist and broadcaster based in The Hague, where he covers Dutch news and politics plus the work of organisations such as the International Criminal Court