Hackers breach cancer screening data of almost 500,000 women

Personal health data from more than 485,000 women has been stolen after hackers accessed the IT systems of a cervical cancer screening programme in the Netherlands. 

The incident occurred between 3 July and 6 July 2025 at the Eurofins Clinical Diagnostics NMDL laboratory in Rijswijk, which tests cervical smears and self-tests for the Dutch Population Survey (BDO).

Cyber criminals are believed to have accessed sensitive patient information including names, addresses, dates of birth, citizen service numbers, test results, and participants’ healthcare providers, according to a press release from the BDO.

Elza den Hertog, chair of the board of directors of BDO, said: “We are deeply shocked by this data breach, and we understand that participants who participated in population screening through us are also very shocked.”

She added: “Participating in the cervical cancer screening programme is already a stressful experience for many participants and now you’re being told that your personal data may have been leaked as well. 

“At BDO, we set high standards for due diligence and data security for participants in the screening programmes, and we always make agreements about this with the laboratories that perform the tests. 

“We deeply regret that this has now gone so wrong at one of the laboratories we work with.”

BDO carries out the cervical screening tests on behalf of the National Institute for Public Health and the Environment.

It has temporarily suspended services from Clinical Diagnostics NMDL and is using a different laboratory until it is certain that processing can take place safely.

The BDO and the Ministry of Health, Welfare and Sport have launched an independent investigation into the security of the systems, in consultation with the laboratory.

Commenting on the breach, Rik Ferguson, vice president of security intelligence at Forescout, said: “This breach is a clear example of a systemic blind spot. 

“Almost half a million highly sensitive medical records were exposed because they passed through a subcontracted lab where attackers found a way in. 

“The result is not just another breach statistic; it’s a demonstration of how quickly a single weak link can compromise an entire security chain.

“What happened here fits a much broader pattern. Healthcare has become a prime target because the data is priceless, the networks are complex, and the sector is under constant pressure to deliver more with less.”

He added that research from Forescout, published in May 2025, and the firm’s half-year report both show that healthcare breaches are continuing to climb, with many driven by third-party compromises. 

In June 2024, a ransomware attack on NHS pathology provider Synnovis led to 10,152 acute outpatient appointments and 1,710 elective procedures being postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS FT, as well as widespread disruption to blood testing in London.

The attack contributed to two cases of severe patient harm, five cases of moderate patient harm and one death.

Following the incident NHS England urged suppliers to sign a cyber security best practice charter in May 2025.