The State Secretary for Youth, Prevention and Sport, Judith Zs.C.M. Tielen, has expressed her deep regret over the data breach at laboratory Clinical Diagnostics, in which personal data of hundreds of thousands of population screening participants and other patients were captured and partly appeared on the dark web. In response to Parliamentary questions, the state secretary emphasized the serious impact of the hack and the measures being taken to limit the damage and restore confidence.
The secretary of state confirms that the scope of the data breach is significantly larger than initially reported. In addition to data from more than 485,000 participants in the population screening for cervical cancer, approximately 230,000 additional individuals were affected. Unfortunately, it cannot be ruled out that this number will increase further. Data from 266 (former) prisoners are also involved, as the State Secretary for Legal Protection previously informed. The laboratory has indicated that the investigation into the exact numbers is nearing completion and that affected healthcare providers will be further informed. Data of patients of general practitioners and hospitals, including Leiden University Medical Center, Amphia hospital and Alrijne hospital, were also leaked.
The secretary of state deeply regrets that the personal data fell into the wrong hands. She recognizes the great impact for those directly affected, for whom hearing that their data has appeared on the dark web can be a "tremendous shock." She understands the concerns of (potential) population study participants, who need to be able to trust in the security of their personal data. "Participating in a population study can already be stressful. Then when you also hear that your personal data has been obtained in a hack and may have appeared on the dark web, it's an appalling shock," the secretary of state said.
With respect to data that has appeared on the dark web, the Secretary of State notes that in practice it is extremely difficult, if not impossible, to have it completely removed. The dark web is characterized by anonymity, making activities difficult to trace. Nevertheless, informing data subjects in a timely manner is crucial, as this allows them to take proactive measures against targeted phishing attacks or identity fraud.
Several measures were taken to limit the damage and prevent a recurrence:
The collaboration with Clinical Diagnostics has been suspended; two other laboratories have taken over the work.
At these replacement labs, the Z-Cert Foundation (healthcare cybersecurity expertise center) conducts permanent vulnerability checks.
Bevolkingsonderzoek Nederland (BVO NL) and RIVM are investigating the exact extent and cause of the hack.
Improvements in data minimization, procurement requirements and retention periods are being researched.
Reports were made to the Personal Data Authority (AP) and the Healthcare and Youth Inspectorate (IGJ), both of which launched investigations.
Prosecutors and police are conducting criminal investigations.
The RIVM requested assistance from the National Cyber Security Center (NCSC), after which Z-Cert took over coordination.
The Ministry of VWS pays constant attention to data security in administrative discussions.
The affected laboratory itself took additional measures, including restricting access to the affected IT environment and increased monitoring.
The secretary of state points to the ongoing investigations by the AP and the IGJ to determine whether the reporting obligations, as stated in the General Data Protection Regulation (AVG), were correctly complied with, given that the leak was known to the laboratory on July 6, 2025 but was not reported to BVO NL until August 6, 2025.
For the long term, the IGJ will pay extra attention to information security at medical laboratories and other healthcare providers as a result of this incident. In addition, the Cybersecurity Act (Cbw) is pending, which will introduce a duty of care for information security for larger healthcare providers and healthcare chain organizations, including a duty to report incidents to the IGJ and Z-Cert, and further enforcement options.
The National Vision and Strategy (NVS) on the Health Information System, approved in April 2025, provides the basis for the design of the storage and management of digital health data, in which privacy and information security are integral components. The secretary of state sees no objection to the management of health data by private laboratories, as long as they comply with privacy regulations.
To restore confidence in population screening and encourage participation, the state secretary expects that the actions taken will help. BVO NL is informing affected participants by letter and through news releases. Pilots by the RIVM and BVO NL, such as district-specific information and presence at local events, are underway to increase attendance. The secretary of state emphasizes the importance of early cancer detection for less burdensome treatments and better outcomes, which is in everyone's interest.
The secretary of state is awaiting the results of the ongoing investigations to draw lessons for future improvements and will continue to keep the House of Representatives informed.
This article was created (in part) with the help of AI, based on the Parliamentary letter from state secretary Judith Zs.C.M. Tielen