AI Autopsy: Ransomware Attack on Clinical Diagnostics NMDL Exposes Cancer Screen Patients’ Data

The data of a million cancer screening patients in the Netherlands was held to ransom by the Nova ransomware group this summer. Assured Intelligence investigates how this shockingly unethical attack played out

Medical labs are a popular target for ransomware. They typically have an extremely low tolerance for outages due to the often-critical work they perform for healthcare clients. And they process highly sensitive personal and medical information. This is classed as “special category data” by GDPR regulators – meaning it should be subject to extra protections.

Unfortunately, that didn’t stop a ransomware group from stealing the information of hundreds of thousands of cervical cancer screening patients from a Dutch laboratory over the summer. It serves as yet another cautionary tale highlighting the challenges of third-party risk management.

What happened to Clinical Diagnostics NMDL?

Clinical Diagnostics NMDL, a subsidiary of Eurofins Scientific, was targeted by threat actors from the Nova ransomware group between July 3 and 6 this year. However, it took the firm until August 6 to notify its biggest client, government agency Bevolkingsonderzoek Nederland (BDO), known in English as the Dutch Population Screening Association. BDO immediately suspended the Rijswijk-based lab’s operations, pending an investigation.

Nova returned with a second, 11 Bitcoin ($1.3 million) demand for payment

Initially, the BDO claimed that the hackers may have compromised cervical cancer screening data belonging to 485,000 participants. However, reports later suggested that the systems compromised contained the information of nearly one million (941,000) participants in screening programmes, dating back to 2017. These included patients at private clinics, as well as current and former prison inmates. There’s still no solid confirmation on how many individuals had their data compromised, but notifications have been sent to all as an abundance of caution.

According to BDO, the compromised data includes names, addresses, gender, test type and result, as well as GP names. In light of the potential gold mine of monetisable information here, the agency urged breach victims to be on high alert for phishing attempts. It cautioned them not to click on links in suspicious emails or texts, and to verify the authenticity of unsolicited phone calls.

Post-breach demands

Clinical Diagnostics reportedly paid Nova, the ransomware-as-a-service (RaaS) group in question, after it posted data on around 50,000 victims on its extortion site. However, according to Northwave Cyber Security director Pim Takkenberg, Nova returned soon after with a second, 11 Bitcoin ($1.3 million) demand for payment. According to a bizarre post on the leak site from the group’s self-proclaimed ‘president’, the second ransom demand was issued after Clinical Diagnostics broke the agreement between the two parties by involving the police.

Adding further confusion, the 11 Bitcoin demand was subsequently withdrawn. An initial sentence – indicating that the decision was taken “after consultation with our members and out of sympathy for the patients” – was then deleted. Takkenberg believes that the Nova affiliates who carried out the attack may have pressured the group into backing down.

The road to Zero Trust

Clinical Diagnostics NMDL is not the first laboratory of this kind to be hit by ransomware. Last year, a ransomware attack on NHS provider Synnovis led to the cancellation of 10,152 acute outpatient appointments and 1710 elective procedures, and was linked to at least one death. However, at first sight, the Dutch lab’s failings could have been prevented with closer adherence to GDPR, NIS2 and other regulations.

“In the Netherlands, organisations must not only comply with the European GDPR and NIS2, but also consider local guidelines from regulators, such as the Dutch Data Protection Authority (Autoriteit Persoonsgegevens),” explains CyberArk senior director of solutions engineering, Bart Bruijnesteijn. “In addition, under NIS2, essential entities like laboratories are required to implement robust risk management and security measures to protect critical infrastructure and sensitive data.”

Although the exact TTPs used by the ransomware affiliate are not currently known, experts Assured Intelligence spoke to have the following advice:

Accelerate NIS2 compliance

Not every organisation in the laboratory sector handles their own supply chain security in the same way, argues Check Point security engineer, Zahier Madhar.

“In the Netherlands, organisations must not only comply with the European GDPR and NIS2, but also consider local guidelines from regulators, such as the Dutch Data Protection Authority”Bart Bruijnesteijn

“Until recently, there was not one consistent method for how an organisation works with all its suppliers. Contracts, agreements, and the way information was shared or monitored differed from one partnership to another,” he explains. “This difference made it hard for NMDL to keep a clear overview of its entire supply chain and to understand where the risks were. The introduction of the NIS2 directive should help change that – and enable it to get better control and transparency across the whole chain.”

As this breach has shown, NIS2 compliance can’t come soon enough. However, it will not officially be enforced in the Netherlands until the second quarter of 2026, according to Pieter Arntz, senior malware researcher at Malwarebytes.

“For organisations in a similar position [to BDO], compliance with NIS2’s supply chain risk management means moving well beyond basic supplier due diligence, toward a continuous, proactive, documented approach,” he suggests. “Several key steps are advised: maintain a detailed inventory of all third-party suppliers, prioritise risk tiers, and prepare for NIS2 by updating contracts to include NIS2-specific clauses, regular crisis simulations, and detailed vendor onboarding and monitoring processes.”

Improve third-party visibility

The NMDL breach illustrates how interconnected supplier and partner networks can introduce significant security risks, especially when handling sensitive data, argues CyberArk’s Bruijnesteijn.

“In the Netherlands, this problem is particularly relevant because many laboratories collaborate with regional governments, population screening programmes, and primary care providers. As a result, patient data often travels through multiple intermediaries, increasing the potential points of vulnerability,” he adds.

The key to managing this complexity is to drive improved insight into how data is shared and who has access rights.

“To mitigate these risks, organisations must implement clear access structures, regularly review permissions, and enforce strict security requirements for suppliers,” Bruijnesteijn continues. “Real-time monitoring of data flows is essential, as is participation in regional cybersecurity initiatives such as the NCSC in the Netherlands, which helps ensure vulnerabilities are identified and addressed without delay.”

Consider data segmentation and minimisation

One of the key principles of the GDPR is never to store more information than the organisation needs to perform its job, or to hold onto it for longer than necessary. It appears that Clinical Diagnostics failed on at least the first count.

“Why did it have all that personal data on file? After all, it’s a laboratory that can tie its findings to a unique bar code. This can then be linked to the real person by the government body that is responsible for these programmes,” says Malwarebytes’ Arntz.

Although medical labs in the region are required to retain records containing personal data for several years, this type of tokenisation strategy could have helped mitigate breach risk. Data segmentation techniques, which isolate highly sensitive information, could also have helped to prevent this breach.

“Apparently, the attackers gained access to all the data, like names, addresses, birth dates, medical test results, and other medical data, in one attempt. This means that there was no data segmentation,” says Arntz.

Treat Zero Trust as the gold standard

“The ransomware group was active in the systems of Clinical Diagnostics NMDL for at least several days and was able to extract a lot of data during that time,” Arntz continues. “This is indicative of a lack of monitoring and absence of the Zero Trust architecture you would expect from an organisation dealing with sensitive data.”

“Why did it have all that personal data on file? After all, it’s a laboratory that can tie its findings to a unique bar code”Pieter Arntz

Check Point’s Madhar also points to Zero Trust capabilities as crucial in building cyber resilience in highly regulated, at-risk organisations.

“Effective access restrictions, regular review of user rights, and continuous monitoring of systems that process sensitive information help prevent unauthorised access. Together with encryption, pseudonymisation, and network segmentation, these measures form the core of a strong data security and operational resilience strategy,” he explains.

“A well-tested incident response plan ensures that a data breach can be quickly contained and properly reported to regulators and affected parties, helping to maintain compliance with both GDPR and NIS2 requirements.”

Never trust your extorters

Perhaps the most obvious takeaway from the incident is that engaging with threat actors can often be a chaotic, and sometimes fruitless, endeavour.

“Organisations should focus primarily on prevention and recovery, rather than attempting to pay ransoms or make compromises,” concludes CyberArk’s Bruijnesteijn. “This can be supported by participating in regional cybersecurity networks and threat intelligence sharing.”

Any organisation providing critical services in the Benelux region would do well to take note.