Hackers collective Nova says it has received ransom from Clinical Diagnostics, after it stole personal data and sensitive medical information from 485,000 women who participated in the population screening for cervical cancer through hostage software. That is what the group and an anonymous source within Clinical Diagnostics said on Wednesday against RTL News. In support, the medium published a screenshot of one Chat conversation that it was with Nova.
NRC Can’t verify the information. Clinical Diagnostics does not answer specific questions about payment of ransom, because of the ‘additional risks’ that that would entail. The Laboratory did, however, announce on Tuesday by e -mail that his systems were “affected by hostage software” and that these have now been “without data loss” recovered. How much ransom would be, is not known. RTL reports that the criminals have demanded ‘millions’.
More data leaked than expected
On Monday afternoon it was announced that Hackers stole data from nearly half a million women who participated in the population screening for cervical cancer. The internet criminals are in the systems of Clinical Diagnostics, part of Eurofins, which has several laboratories in the Netherlands where smears and samples are analyzed for all kinds of medical examinations.
The data was also stolen of tens of thousands of patients who had a test taken through their doctor or hospital that was analyzed by Clinical Diagnostics. That became apparent a few hours after the Netherlands Population screening brought out the news about the stolen personal data. Not only personal data of patients – such as citizen service numbers, address and names of health insurers – have been leaked, but also potentially sensitive medical test results ended up in the wrong hands.
Personal data Minister and Member of Parliament
On the Dark Weba difficult, anonymous part of the internet, the criminals of Nova have shown a sample of the loot. RTL News has viewed it, NRC chose not to do that. The Sample contained data of more than 53,000 people: for a total of 100 megabyte of results of medical examinations carried out for general practitioners, hospitals and independent clinics. RTL wrote that the private data of a minister from the current outgoing cabinet and a member of parliament could also be seen.
By paying ransom, hope to prevent organizations worse. The fear is, for example, that sensitive information about all women who participated in the population screening on it Dark Web ends up. Criminals can use that information to inform or squeeze patients, or resell it to other criminals that they can use to make hyper-qualified phishing emails.
Reprehensible
No report has yet been made and no police investigation has been set in motion, the police told NRC. A question is whether Clinical Diagnostics has acted reprehensibly: the company from Rijswijk has taken a month to inform victims of the hack, according to its own words so that it could “take the right steps first”. The stolen sample was already online on July 6, the Netherlands population study says it was informed by the laboratory on 6 August.
The Dutch Data Protection Authority (AP) prescribes That organizations report a data breach “immediately” to the privacy watchdog. Victims must also be informed ‘as quickly as possible’. When asked, the AP announced that it was informed by Clinical Diagnostics about the Lek – but does not want to say whether that happened on time: that is ‘supervisory’ information, and is part of the investigation that the AP does to the issue. The fact is that victims of the hack are not quickly informed: they still have to receive a letter from Clinical Diagnostics.
Under the General Data Protection Regulation (AVG), organizations are required to properly protect data. The more sensitive data, the stricter they have to be protected, a spokesperson for the AP explains. Medical data belongs to the ‘Special Personal Data’ category. These are data that is so privacy sensitive that, as the law dictates, they must be extra well protected. Clinical Diagnostics will have to prove that the company has taken sufficient measures to protect patients’ data.
Read also
With the hacked data from the lab in Rijswijk, scammers can send ‘almost lifelike phishing emails’