Before last year’s cyberattack, Clinical Diagnostics didn’t meet the legally required information security standards for the healthcare sector. Skipping audits was one of the many major flaws the lab oversaw.
-
Dutch lab disabled monitoring on critical systems due to "incorrect information," skipped security audits for three years, and left accounts unprotected by multi-factor authentication.
-
Hackers stole data on 850,000 cancer screening patients after exploiting the unmonitored legacy systems.
-
Clinical Diagnostics paid ransom to Nova ransomware gang but health inspectorate found it failed to meet legally required healthcare security standards.
That’s the main conclusion of the Health and Youth Care Inspectorate (IGJ), which launched a thorough investigation after a massive data breach.
According to the Inspectorate, the attackers used a compromised user account to gain access to a legacy environment via a remote desktop connection. How the user account was compromised remains a mystery.
Furthermore, the legacy environments were not monitored due to human error.
“Based on incorrect information, the Security Operations Center (SOC) assumed that the legacy environment in question was no longer active and disabled monitoring for it. As a result, anomalies in the logging were not detected,” the Inspectorate’s report says.
The compromised user account used a 16-character password. However, multifactor authentication (MFA) was disabled at the time of the attack.
Lastly, three years prior to the incident, no audits had been conducted to review the lab’s cybersecurity and data protection.
All things considered, Clinical Diagnostics made several mistakes in properly protecting people’s personal and sensitive information.
“Given the large scale of the processing and the risks to the privacy of data subjects due to the sensitive nature of the data, Clinical Diagnostics should have been aware of its responsibility,” the Health and Youth Care Inspectorate states.
The IGJ is demanding that Clinical Diagnostics comply with the legally required information security standards. Several external audits have been carried out, and the lab expects to meet this demand shortly.
The Inspectorate doesn’t have the authority to impose punitive measures, but the Dutch data protection authority (DPA) has. The privacy and data protection supervisor can impose a penalty for failing to meet the legally required standards for information security.
In July 2025, the Centre for Population Screening told the media that ransomware extortion gang Nova had stolen personal and sensitive information from 485,000 participants in a cervical cancer screening program by accessing Clinical Diagnostic’s IT systems. The medical research lab later adjusted this number to 850,000 patients.
To resolve the issue, Clinical Diagnostics paid its hackers an unknown amount of ransom.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked