Amsterdam — Nearly half a million women in the Netherlands have had their personal and medical records stolen in a cyberattack targeting a major laboratory involved in the country’s national cervical cancer screening program, authorities confirmed this week.
The breach, which occurred at Clinical Diagnostics NMDL, a laboratory based in Rijswijk, compromised the sensitive data of about 485,000 individuals. Stolen files include names, addresses, dates of birth, citizen service numbers, and in many cases, the results of intimate medical examinations, according to investigators familiar with the case.
The hackers, who identified themselves as the group “Nova,” claim to have extracted more than 300 gigabytes of information. To demonstrate their access, they have already released a sample of the stolen data online, containing medical results and personal details of over 50,000 people. Some of the victims include women living in shelters, raising acute concerns for their safety and privacy.
In a ransom note posted on the dark web, Nova demanded the payment of 11 bitcoins, valued at roughly €1.1 million, or about $1.28 million, by August 28. The group warned that unless their demands are met, the entirety of the data will be published, an ultimatum that has intensified fears among health authorities and privacy regulators.
Dutch privacy watchdog Autoriteit Persoonsgegevens has opened an investigation into the handling of the breach, examining whether Clinical Diagnostics failed to notify regulators and victims promptly. Under European data protection rules, institutions are required to report breaches within 72 hours and promptly inform affected individuals. Critics say delays in notification, believed to have stretched nearly a month, may have worsened the exposure of patients.
Security experts have warned that the incident reflects a broader vulnerability in Europe’s healthcare infrastructure. With personal health records increasingly digitized, medical data has become one of the most lucrative targets for cybercriminals, who value such information for identity theft, blackmail, and exploitation on criminal markets.
The case has prompted sharp criticism of both the clinic and Dutch authorities for what analysts describe as systemic failures to protect sensitive information. As one cybersecurity specialist observed, the breach underscores “how one weak link in the chain can bring down an entire system.”
According to Anadolu, the Nova group has accused Clinical Diagnostics of violating a previous ransom settlement by allegedly contacting law enforcement, prompting the renewed extortion threat and public leak of data. The group has set a deadline of late August for payment, warning of full disclosure if demands are ignored.
