Hackers breached the IT systems of **Eurofins Clinical Diagnostics NMDL**, a laboratory responsible for cervical cancer screening in the Netherlands under the **Dutch Population Survey (BDO)**. Between **3–6 July 2025**, cybercriminals stole **sensitive personal health data** of **485,000+ women**, including **names, addresses, dates of birth, citizen service numbers, test results, and healthcare provider details**. The breach forced BDO to **temporarily suspend services** from the compromised lab and switch to an alternative provider. An **independent investigation** was launched by BDO and the **Dutch Ministry of Health, Welfare and Sport** to assess security failures. The incident highlights systemic vulnerabilities in **third-party healthcare providers**, where attackers exploit weak links in the supply chain. The breach follows a broader trend of escalating cyberattacks on healthcare, with prior cases (e.g., **2024 Synnovis ransomware attack on NHS**) causing **patient harm, delays in critical treatments, and even fatalities**. The stolen data—highly sensitive and irrecoverable—poses **long-term risks of identity theft, fraud, and blackmail**, deepening public distrust in medical data security.
Source: https://www.digitalhealth.net/2025/08/hackers-breach-cancer-screening-data-of-almost-500000-women/
TPRM report: https://www.rankiteo.com/company/eurofins-clinical-diagnostics
"id": "eur455081325",
"linkid": "eurofins-clinical-diagnostics",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'customers_affected': '485,000+ women',
'industry': 'Healthcare',
'location': 'Netherlands',
'name': 'Dutch Population Survey (BDO)',
'type': 'Government Health Program'},
{'customers_affected': '485,000+ (via BDO)',
'industry': 'Healthcare/Diagnostics',
'location': 'Rijswijk, Netherlands',
'name': 'Eurofins Clinical Diagnostics NMDL',
'type': 'Private Laboratory'},
{'industry': 'Public Health',
'location': 'Netherlands',
'name': 'National Institute for Public Health and the '
'Environment (RIVM)',
'type': 'Government Agency'}],
'customer_advisories': 'Public notification via BDO; participants advised of '
'potential data leakage',
'data_breach': {'data_exfiltration': 'Confirmed',
'number_of_records_exposed': '485,000+',
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of Birth',
'Citizen Service '
'Numbers'],
'sensitivity_of_data': 'Extremely High (medical test results, '
'PII)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-07-06',
'date_publicly_disclosed': '2025-07-06',
'description': 'Hackers breached the Eurofins Clinical Diagnostics NMDL '
'laboratory in Rijswijk, Netherlands, accessing sensitive '
'patient information of over 485,000 women participating in '
'the Dutch Population Survey (BDO) cervical cancer screening '
'program. Compromised data includes names, addresses, dates of '
'birth, citizen service numbers, test results, and healthcare '
'providers. The breach occurred between **3 July and 6 July '
'2025**, prompting BDO to suspend services from the affected '
'lab and launch an independent investigation with the Ministry '
'of Health, Welfare and Sport. The incident highlights '
'systemic vulnerabilities in third-party healthcare providers, '
'echoing broader trends of rising breaches in the sector due '
'to complex networks and high-value data.',
'impact': {'brand_reputation_impact': 'Severe (public shock, loss of trust in '
'BDO and Eurofins)',
'customer_complaints': 'Expected (high stress for affected '
'participants)',
'data_compromised': ['Names',
'Addresses',
'Dates of Birth',
'Citizen Service Numbers',
'Test Results',
'Healthcare Provider Information'],
'downtime': 'Services suspended temporarily; alternative lab used '
'for testing',
'identity_theft_risk': 'High (PII and medical data exposed)',
'legal_liabilities': 'Potential (investigation ongoing)',
'operational_impact': 'Disruption to cervical cancer screening '
'program; independent investigation launched',
'systems_affected': ['Eurofins Clinical Diagnostics NMDL '
'laboratory IT systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (not confirmed)',
'high_value_targets': ['Medical test results',
'PII of screening '
'participants']},
'investigation_status': 'Ongoing (independent investigation by BDO and '
'Ministry of Health)',
'lessons_learned': 'Third-party vendors in healthcare are critical weak '
'points; systemic blind spots in supply chain security can '
'lead to large-scale breaches. Healthcare sector remains a '
'prime target due to high-value data and complex networks.',
'motivation': ['Financial Gain (likely, given sensitivity of medical data)',
'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': ['Service suspension',
'Independent security '
'review',
'Potential policy changes '
'for third-party labs'],
'root_causes': ['Third-party vendor vulnerability',
'Inadequate security controls at '
'Eurofins NMDL']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-related)'},
'recommendations': ['Strengthen third-party vendor cybersecurity audits '
'(e.g., NHS England’s cybersecurity best practice '
'charter)',
'Implement zero-trust architecture for sensitive medical '
'data',
'Enhance monitoring of subcontracted labs handling PHI',
'Improve incident response coordination between public '
'health agencies and private labs'],
'references': [{'date_accessed': '2025-07-06', 'source': 'BDO Press Release'},
{'date_accessed': '2025-07',
'source': 'Forescout (Rik Ferguson comment)'},
{'source': 'Shutterstock (image credit)',
'url': 'https://www.shutterstock.com'},
{'date_accessed': '2024-06',
'source': 'NHS Synnovis ransomware attack (contextual '
'reference)'}],
'regulatory_compliance': {'regulations_violated': ['Likely GDPR (EU General '
'Data Protection '
'Regulation)',
'Dutch healthcare data '
'protection laws'],
'regulatory_notifications': ['Ministry of Health, '
'Welfare and Sport '
'involved']},
'response': {'communication_strategy': ['Public press release by BDO',
'Statements from BDO leadership'],
'containment_measures': ['Suspension of services from Eurofins '
'NMDL',
'Switch to alternative laboratory'],
'incident_response_plan_activated': 'Yes (independent '
'investigation launched)',
'law_enforcement_notified': 'Likely (not explicitly stated)'},
'stakeholder_advisories': 'BDO and Ministry of Health, Welfare and Sport '
'leading communication',
'threat_actor': 'Unknown cyber criminals',
'title': 'Breach of Cervical Cancer Screening Data Affecting Nearly 500,000 '
'Women in the Netherlands',
'type': ['Data Breach', 'Unauthorized Access']}