Every organization can be hacked, that is not the point, say cyber experts. It is about what you do as an organization when the burglars have left. Certainly if private data such as names, addresses, social security and telephone numbers and medical details have been stolen, as happened in July at the Medical Lab Clinical Diagnostics. You must, CyberSecurity expert Dave Maasland, immediately report such a hack to the Dutch Data Protection Authority, all customers-in this case Population Research Netherlands, general practitioners and hospitals-advise and advise those involved to be alert on unknown emails and phone calls. Because they can get them, using their stolen data.
And: you have to regain trust, because that’s what it’s all about. “Everyone who has an investigation does data to a lab, a hospital, a general practitioner.”
Clinical Diagnostics waited too long to inform those involved, many stakeholders think. The Medical Lab was hacked at the beginning of July, stolen the data of hundreds of thousands of women who did a self -test for cervical cancer testing through the Netherlands Population screening. Only on August 6 the LAB informed the first customers: the Netherlands population survey, involved hospitals and general practitioners. Most patients and women themselves do not know if their data has been stolen. The lab says in response to questions: “When we discovered that there had been a cyber attack, we immediately started a first investigation. We waited a moment to share information, so that we could first take the right steps. We have been in contact with other parties since 6 August.”
In the meantime, customers speak out. Gelre hospitals says: “We reject late communication about this data breach.” So far there are no indications that patients from that hospital have been affected, but Gelre is a customer of Clinical Diagnostics.
Population screening for the Netherlands, which is hired by the National Institute for Public Health and the Environment (RIVM) and the Ministry of Health, Welfare and Sport, has stopped cooperation with Clinical Diagnostics for the time being. “We are sorry that Clinical Diagnostics only announced a month later that the data of 485,000 women were stolen. We heard it on August 6 and then did not hear from them how this could have been. That is why we have suspended our collaboration with them on Monday 11 August. All the smears and information exchange of and about women are now performed by two other words.”
The hack at Clinical Diagnostics concerned data files up to ten years old. So women who did a smear ten years ago can also be approached by phishersvia e-mails, crazy phone calls or letters, says the spokesperson for the population screening. “We call on them all to be alert.”
950 Laboratories
Good day, waiting a whole month, that’s long, thought Pier Eringa, chairman of the board of Gelre Hospital, when he heard about it. The Lab in the Gelre has been from Clinical Diagnostics since 2023, which is owned by the French Eurofins. And Eurofins, says Eringa, “is not a small club. You would expect to have the security of data done.”
Eurofins Scientific is indeed not a small club. It has laboratories and diagnostic centers around the world and is listed on the French stock exchange.
The company does not only do diagnostics for doctors. The 950 laboratories of the group in sixty countries are also involved in product controls, DNA testing, investigating crops, studies of water quality, forensic research and food analysis in animal husbandry. 65,000 people work; The market value of the company is more than 12 billion euros. Founder and director Gilles Martin became a billionaire with it, his family owns one third of the shares.
Criminal cases postponed
You can’t say that Eurofins was not warned about hackers. In 2020, Martin devoted his opening sentence in the annual report to a cyber attack in his laboratories in the United Kingdom. The “criminal cyber attack” of 2 June 2019 had cost the company 130 million euros of its profit.
The British police experienced the consequences, because the hacked laboratories performed many DNA tests for the judiciary, similar to what the Dutch Forensic Institute does. The British police decided not to use the services of Eurofins for a while. The result: criminal cases had to be postponed and politicians feared that fewer crimes would be resolved.
Eurofins is said to have paid the extursors in the United Kingdom to get full access to his data, reported the BBC – Something that Eurofins did not want to confirm. Even now the company would have been extorted. Eurofins has paid ransom to the hacking group that is held responsible for the burglary, reported RTL News. It would be one of the reasons why the company warned the outside world so late.
As ‘former police boss,’ says Pier Eringa (he was chief of police in Flevoland), “do I think: what is the reason for that waiting? Were they negotiating with the perpetrators in the hope of getting all the data back so quickly?”
Eringa acknowledges that not only the lab but also every hospital is responsible for the protection of patients’ private data. “On the one hand you have to be able to share information quickly with each other about patients, but on the other hand you are therefore vulnerable to these types of criminals. They are fast and have to adhere to much fewer rules than we do.”
But, he also says, “patients, general practitioners and we must be able to count on that data remain safe.”
A super dividend of 32 million euros went to the umbrella company in Luxembourg
Commercial environment
Hospitals need continuous medical information about their patients: from urine, blood and stools, of photos, scans and videos. Medical laboratories were therefore traditionally part of a hospital or fell under a foundation that is not aimed at profit.
Some foundations and hospital labs have been transformed into BVs in the last ten years and ended up in a commercial environment such as those of Unilabs or Clinical Diagnostics/Eurofins. In recent years, Eurofins have bought a series of Dutch laboratories that play an indispensable role in healthcare.
That growth did not always go smoothly. In Leiden, Leiderdorp and Alphen aan de Rijn, patients noticed what it can mean last year if there are problems in the lab. The Alrijne Hospital first sold its microbiological lab to Eurofins and last year saw the chemical lab change owner: Unilabs sold that to Eurofins. The transfer was so difficult that Alrijne could no longer provide acute care, postpone operations and largely had to close the emergency post due to ‘major operational problems’ at the lab.
Two years earlier, the diagnostics of four hospitals Brabant got into trouble after medical microbiologists had resigned. They did not agree with the acquisition of their lab by Eurofins.
To sell
The landscape of the healthcare laboratories has been thoroughly plowed over the past ten years. Insurers encourage scaling up and demand lower rates. Smaller laboratories suffer from accumulating regulations and hospitals in money can choose to sell their diagnostic clinics.
The same goes for the Gelre Hospital in Apeldoorn, which was forced to sell his laboratories two years ago. The hospital was under guardianship of the banks, but with the more than 14 million euros it got from Eurofins for his labs, it could keep its creditors at bay.
“In retrospect, but that is often with afterwards, you can put the necessary questions about it,” says Eringa Board Chairman about the sale that took place before he took office. “A lab is so vital for a hospital that it is important to keep that close to you.” At the same time, he points out that scale is needed to keep the labs profitable.
Eurofins managed to entice many laboratories in their company. Although it apparently also means that more sensitive data is stored in one place, the recent debacle with Clinical Diagnostics learns.
The Dutch branch does not deposit its figures on time, which means that the outside world has a poor view of the health of the company. The group also appears to take financial risks with the Dutch labs that now operate from BVs and hang under a Luxembourg mother. It is certain that the Dutch laboratories were properly emptied last year. A so -called super dividend of 32 million euros went to the umbrella company in Luxembourg – roughly 40 percent of the capital present. The collection capacity of the Dutch division is thus dramatically weakened.
The group does not want to say anything about this. The Dutch Clinical Diagnostics nor the French parent company answers questions from NRC about this.
Tips? [email protected]