Dutch Healthcare Data Breach Triggers 118 Criminal Complaints as Investigation Continues
Netherlands, Thursday, 19 February 2026.
Over 100 individuals have filed criminal charges following a massive ransomware attack on Clinical Diagnostics that compromised personal data of 850,000 people participating in the Netherlands’ cervical cancer screening program. The August 2025 cyberattack saw hackers from the Nova group demand cryptocurrency payments before ultimately leaking sensitive medical information despite alleged ransom payments. Dutch prosecutors emphasize that investigating digital crimes requires international cooperation, making suspect identification a lengthy process that could span years across multiple jurisdictions.
Scale and Impact of the Clinical Diagnostics Breach
The ransomware attack on Clinical Diagnostics represents one of the most significant healthcare data breaches in Dutch history, affecting personal information of 850,000 individuals [1][2][3]. The laboratory, which processed samples for the Dutch national cervical cancer screening program, fell victim to the Nova hacker group in August 2025 [4]. The stolen data included highly sensitive information such as names, addresses, BSN numbers (Dutch social security numbers), and medical test results from cervical cancer screenings and self-tests [4]. The breach encompassed data from participants in the population screening program dating back to 2017 [3], highlighting the long-term data retention practices of medical laboratories handling national health initiatives.
Ransom Demands and Criminal Response
Following the cyberattack, hackers demanded approximately 1.1 million euros in cryptocurrency from Clinical Diagnostics [2][3]. The criminals threatened to sell the stolen medical data if the laboratory refused to pay the ransom [1][5]. Despite claims that Clinical Diagnostics paid the demanded sum, the hackers ultimately proceeded to leak the personal data of hundreds of thousands of women who had participated in cervical cancer screening, along with data from tens of thousands of other patients referred to the laboratory by healthcare providers [1]. The Dutch Public Prosecution Service (OM) announced on Tuesday, February 17, 2026, that 118 people have now filed criminal charges in connection with the data breach [1][2][3][4][5]. The breach came to public attention through reporting by the Dutch Population Survey Foundation (BDON), which prompted authorities to launch their investigation [1].
Investigation Challenges and International Cooperation
The OM has initiated a comprehensive criminal investigation that remains ongoing as of February 2026 [1][2][3]. Prosecutors emphasize that investigating digital crimes presents unique challenges, describing the process as “intensive and time-consuming” due to the complex nature of digital evidence that can originate from anywhere in the world [1][3][5]. The investigation requires legal assistance from multiple countries before Dutch police can take substantive next steps, making the identification of suspects a lengthy process [1][3][5]. The OM has stated it cannot yet provide substantive information about the investigation’s progress, noting that if arrests and criminal cases materialize, prosecutors will determine how to handle the 118 filed complaints [1]. The international nature of cybercrime investigations means this case could span years across multiple jurisdictions before reaching resolution.
Broader Implications for Healthcare Data Security
The Clinical Diagnostics breach has triggered wider concerns about data protection in Dutch healthcare systems. By fall 2025, 555 women had already reported identity fraud incidents to the Central Reporting Point for Identity Fraud, including suspicious phone calls and emails following the data leak [4]. The scale of the impact has prompted the Foundation for Collective Consumer Interests (VCC) to prepare a mass lawsuit with legal teams, with at least 100,000 women joining the action [4]. The OM has clarified that filing individual criminal complaints is no longer necessary since prosecutors launched their investigation independently [3][4][5]. This incident underscores the critical vulnerabilities in healthcare data management systems that handle sensitive medical information for population-wide health screening programs, highlighting the need for enhanced cybersecurity measures in medical laboratories processing national health data.