Data Breach in the Netherlands: Medical Records of 485,000 Women Compromised

Published on 31 August 2025 at 10:49

This summer, a major cyberattack targeted Clinical Diagnostics NMDL, the laboratory in charge of cervical cancer screening in the Netherlands. Between 3 and 6 July 2025, hackers affiliated with the group Nova gained access to a massive amount of sensitive personal data. According to initial reports, the personal data of nearly 485,000 women who underwent these screenings may have been exposed, including names, addresses, dates of birth, social security numbers (BSN), test results, and some data relating to healthcare professionals.

A subset of this information (approximately 53,000 records) was allegedly published on the Dark Web and later removed. The press reported that a ransom had been paid, but the laboratory has not officially confirmed either the payment or the complete removal of the stolen data.

More than 405,000 women were notified by letter or email, and were advised to exercise caution against phishing attempts and fraud.

Regulatory response

The Health and Youth Care Inspectorate (IGJ) launched an investigation into the laboratory’s security measures.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) is examining whether the laboratory complied with its obligation to notify the breach within the legal 72-hour deadline. Failure to comply may result in sanctions of up to €20 million or 4% of annual global turnover.
Several thousand women have already registered to participate in a class action led by a specialised law firm.

Key takeaways

Third-party vulnerabilities: The role of an external laboratory, connected to public health authorities, shows how subcontractors can undermine the overall compliance and become the weakest link in data security.
Persistent opacity: The lack of official confirmation regarding ransom payment and the full removal of data fuels uncertainty and public distrust.
Human impact: The exposure of medical records — among the most sensitive categories of personal data under the GDPR — creates legitimate distress and increases risks of blackmail or identity fraud.
Systemic reminder: Healthcare data remains a prime target for cybercriminals. Governance and resilience in this sector require urgent strengthening, both technically and contractually.

Conclusion

This incident is a stark reminder that GDPR compliance and cybersecurity are inseparable. More than a regulatory requirement, they are the foundation of trust between patients and healthcare institutions.

Beyond the Dutch case, the breach highlights the importance for all European organisations to:

map and regularly audit their processors and subcontractors,
strengthen contractual security clauses,
prepare crisis response and communication scenarios (including ransom threats),
put the protection of data subjects and sensitive personal data at the centre of their response strategy.

« Previous Web Filtering in Companies: CNIL Prepares New Recommendations The Data Act and the GDPR: How Do They Work Together? Next »