Cyberattack exposes nearly 500,000 women’s medical records in Dutch cervical cancer screening program

Nearly half a million women in the Netherlands have had their personal and medical records stolen in a cyberattack against a major laboratory connected to the country’s national cervical cancer screening program, Dutch authorities confirmed this week.

The breach targeted Clinical Diagnostics NMDL, a laboratory based in Rijswijk, and compromised the sensitive information of about 485,000 people. Investigators said the stolen files include names, addresses, dates of birth, citizen service numbers, and in many cases, the results of medical examinations.

The hacker group behind the attack, which calls itself “Nova,” claims to have extracted more than 300 gigabytes of data. To prove its access, the group released a sample containing the personal and medical details of more than 50,000 women. Some victims were identified as women living in shelters, raising concerns for their safety and privacy.

In a ransom note posted on the dark web, Nova demanded 11 bitcoins, valued at approximately €1.1 million, or $1.28 million, by August 28. The group threatened to publish the full dataset if its demands were not met. According to Turkish news outlet Anadolu, Nova also accused Clinical Diagnostics of violating a previous ransom settlement by involving law enforcement, a move the group claims triggered the renewed extortion and public data release.

The Dutch privacy watchdog, Autoriteit Persoonsgegevens, has launched an investigation into how the breach was handled, including whether Clinical Diagnostics failed to notify regulators and victims within the timeframe required under European data protection law. Under the EU’s General Data Protection Regulation, organizations must report breaches within 72 hours and promptly alert those affected. Critics say a delay of nearly a month worsened the risk for patients.

Cybersecurity experts have warned that the attack highlights broader weaknesses in Europe’s healthcare systems. Medical records, increasingly stored digitally, are considered highly valuable by cybercriminals for identity theft, blackmail, and resale on criminal markets. Analysts have criticized both the clinic and authorities for failing to adequately safeguard sensitive patient data.

“This incident shows how one weak link in the chain can bring down an entire system,” one cybersecurity specialist noted.

The Nova group has set a deadline of late August for its ransom demand. Unless payment is made, the hackers have threatened to publish the full trove of data, a prospect that could further expose hundreds of thousands of women across the Netherlands.