The Dutch privacy watchdog Autoriteit Persoonsgegevens (AP) has started an investigation into the handling of a serious data breach at test processing lab Clinical Diagnostics, which has affected nearly half a million people.

Among the hacked data were the mass screen results for cervical cancer of 485,000 women, personal ID numbers and names and addresses, including those of family doctors and other professionals. The personal data of over 50,000 people was found offered for sale on the dark web.

Companies have a legal duty to inform the AP of a hack within 72 hours. Clinical Diagnostics said it reported the breach in time but the AP would not confirm this, saying it “does not comment on an ongoing investigation”.

The clinic must also inform its clients of a data breach “a soon as possible”. However, screening organisation Bevolkingsonderzoek Nederland was only told about the breach last week, a month after the incident had taken place.

The delay was reportedly linked to a payoff to ransomware group Nova to prevent more data from appearing on the dark web.

In addition, none of the women on the list has been officially notified by Clinical Diagnostics so far.

Complicated rules

The investigation by the AP will have to show if the clinic has broken privacy rules. The definition of  “as soon as possible” depends on several factors, including how many people needed to be informed, the type of stolen data involved and the means of communication available, an AP spokesman told broadcaster NOS.

“We still have many questions which we want an answer to and soon. What happened? When was it reported? What happened in the meantime?” he said.

Clinical Diagnostics has said those affected by the hack will receive a letter no later than August 19. It will also officially inform the family doctors on the list.

If the clinic is found to have been in breach of privacy regulations, it could be fined up to €20 million or 4% of its revenue. Depending on the seriousness of the breach, companies could be banned from processing certain categories of personal data.

Women whose data have been stolen could be targeted by criminals and be vulnerable to identity fraud.

In another sinister twist, RTL Nieuws found that some of the women on the list lived in a women’s shelter. Apart from their names and ID numbers, the address of the shelter is also among the hacked data.