Cervical Cancer Lab Data Breach: Inadequate Security Exposed 850,000 Records

Severity: High (Score: 64.5)

Sources: nos.nl, www.nrc.nl

Summary

In July 2025, Clinical Diagnostics, responsible for cervical cancer screening tests, was hacked, leading to the theft of sensitive data from 850,000 individuals. The Inspection Health Care and Youth (IGJ) found that the lab did not meet legal information security standards at the time of the breach. Key failures included a lack of independent security assessments and inadequate risk management practices. The stolen data included personal information such as test results and identification numbers, raising concerns among affected individuals. The IGJ has mandated Clinical Diagnostics to comply with security regulations, although it cannot impose penalties. The Authority for Personal Data is also investigating potential violations of privacy laws. Law enforcement is involved, with 118 individuals filing complaints, but identifying suspects is challenging due to complex evidence trails. The hacking group Nova is believed to be responsible. Key Points: • Clinical Diagnostics failed to secure sensitive data, affecting 850,000 individuals. • The IGJ's investigation revealed non-compliance with legal security standards. • Law enforcement and data authorities are investigating the breach and its implications.

Key Entities

• Nova (ransomware_group)
• Data Breach (attack_type)
• Clinical Diagnostics (company)
• CWE-200 - Exposure of Sensitive Information (cwe)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)