Data from over 485,000 participants in a cervical cancer screening program has been stolen by threat actors after they gained unauthorized access to a third-party laboratory, according to the Dutch authorities.
The attack took place at the Clinical Diagnostics NMDL laboratory in Rijswijk, not far from Rotterdam, between July 3-6.
However, the laboratory, a subsidiary of Eurofins Scientific, did not inform the authorities until August 6, according to a news release published yesterday by the Dutch Population Screening Association (BDO).
Among the stolen information are thought to be names, addresses, dates of birth, citizen service numbers (BSN), possible test results and the names of participants’ healthcare providers, the BDO said. Email addresses and phone numbers for a smaller number of victims were also taken.
Read more on healthcare breaches: Clinical Data Stolen in Cyber-Attack on Kidney Dialysis Provider DaVita
The BDO has suspended services at the lab temporarily while it carries out an independent investigation of the IT security systems there. It said that citizens can continue to participate in the screening program as a different lab will be used to process results.
However, the BDO warned victims of the potential for follow-on fraud if the threat actors sell or release the stolen information. Those impacted by the breach are currently being notified by the Dutch authorities.
“We are deeply shocked by this data breach, and we understand that participants who participated in population screening through us are also very shocked. I would like to express to them our deepest regret that this has happened,” said BDO chair, Elza den Hertog.
“Participating in the cervical cancer screening program is already a stressful experience for many participants. And now you're being told that your personal data may have been leaked as well.”
The Weakest Link
However, the breach may be even worse than first thought, with some local reports suggesting that the hackers also obtained the personal and medical information of other patients who used the lab over the past three years. As much as 300GB may have been taken.
Forescout VP of security intelligence, Rik Ferguson, argued that the incident highlights how a single weak link can have a big impact on a large number of victims.
“Attackers look for the unmanaged and the unmonitored. If you can’t see it, you can’t secure it, and you can’t contain it when it’s breached,” he said.
“This isn’t about patching faster or buying another point product; it’s about building a security posture based on clear visibility and control.”
No tags.
