Clinical Diagnostics LCPL / NMDL (NL) — Dutch IGJ ruling: failed NEN 7510 information-security standard at time of July 2025 Nova ransomware breach; ~941,000 patients incl. cervical-cancer screening

incident · incident:clinical-diagnostics-nmdl-igj-2026

Coverage timeline

first 2026-05-14 → last 2026-05-18

Briefs

1 distinct

Sources cited

17 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-05-14CTI Daily Brief — 2026-05-14
active_threatsIGJ 2026-05-13 public finding — no independent audit + no periodic risk assessment cited as foundational failures; parallel AP GDPR investigation; sector-wide enforcement signalled.

Where this entity is cited

active_threats1

Source distribution

msrc.microsoft.com4 (18%)
novonordisk.com2 (9%)
advisories.ncsc.nl2 (9%)
bleepingcomputer.com1 (5%)
computable.nl1 (5%)
igj.nl1 (5%)
theregister.com1 (5%)
bankinfosecurity.com1 (5%)
other9 (41%)

Related entities

Dutch National Police arrest 35-year-old from Buren over AFC Ajax breach — 300k+ fan accounts and 42k+ season tickets exposed via misconfigured API access-control and shared keys
incidentitem:afc-ajax-amsterdam-arrest-2026-05-26-300k-fan-records-shared-keys-misconfigured-api×2
Dutch Police + NCSC dismantle Asocks residential-proxy botnet — 17M devices, 200 NL-hosted servers seized
campaignitem:dutch-police-ncsc-asocks-residential-proxy-takedown×2
Breach at billing processor Unimed exfiltrates ~97,600+ patient records from six German university hospitals (attribution open)
incidentincident:unimed-german-hospitals-2026×1
Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification
incidentincident:eurail-breach-2026×1
Novo Nordisk discloses theft of clinical-trial and HCP data
incidentincident:novo-nordisk-clinical-trial-breach-2026×1
Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore) — Iranian APT operationalising AppDomainManager hijacking; six new RAT variants MiniUpdate/MiniJunk V2 deployed Feb–Apr 2026
actoractor:screening-serpens-unc1549-smoke-sandstorm-nimbus-manticore-iran-apt×1

All cited sources (22)

Items in briefs about Clinical Diagnostics LCPL / NMDL (NL) — Dutch IGJ ruling: failed NEN 7510 information-security standard at time of July 2025 Nova ransomware breach; ~941,000 patients incl. cervical-cancer screening (3)

Novo Nordisk discloses theft of clinical-trial and healthcare-professional data

From CTI Daily Brief — 2026-06-13 · published 2026-06-13 · view item permalink →

Danish pharmaceutical maker Novo Nordisk disclosed on 11 June that an external party gained unauthorised access to a limited number of internal IT systems and copied non-public data, including clinical-trial participant records and healthcare-professional (HCP) contact information (Novo Nordisk, 2026-06-11). The clinical-trial data is described as pseudonymised — random alphanumeric participant IDs plus sex, year of birth, biomarkers, immunogenicity and health data, and lifestyle factors — and not directly linked to names. The HCP data, however, is directly identifying: names, registration numbers, email addresses, phone numbers, WhatsApp contact details and office locations (BleepingComputer, 2026-06-12). The initial-access vector is not disclosed and no threat actor has been named; affected systems were taken offline and authorities engaged. As an EU-registered controller processing EU/EEA trial data, the breach engages GDPR Article 33 and Danish Datatilsynet notification, and Swiss equivalents under the nDSG for domestic trials.

Defender takeaway: The HCP record set (name + phone + WhatsApp for named clinical investigators) is a complete spear-phishing targeting package — brief clinical-research and pharma-partner staff on elevated social-engineering risk, and watch for WhatsApp/SMS pretexting against named researchers, since no malware IOCs are available to anchor a hunt.

Clinical Diagnostics / NMDL — Dutch IGJ formal NEN 7510 non-conformity ruling

From CTI Weekly Summary — 2026-W20 (May 11 – May 17, 2026) · published 2026-05-17 · view item permalink →

The IGJ ruling formally found Clinical Diagnostics / NMDL non-conformant with NEN 7510 (Dutch information-security-management standard for healthcare) at the time of the July 2025 ransomware breach (approximately 941,000 patients affected per Computable / daily 2026-05-14, cervical-cancer screening data exposed). First IGJ NEN 7510 non-conformity finding against a third-party diagnostics provider. For Swiss / EU public-sector defenders: this is the regulatory template member-state regulators are likely to deploy under NIS2 essential-entity supplier-due-diligence obligations — Dutch hospitals using the same supplier and other EU member-state regulators with parallel healthcare-ISO standards (NEN 7510, ISO 27799, the Italian AgID guidelines) will pattern-match this ruling for their own supplier oversight (IGJ inspection report; Computable; daily 2026-05-14).

Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed

From CTI Daily Brief — 2026-05-14 · published 2026-05-14 · view item permalink →

The Dutch Health & Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd, IGJ) issued a public finding on 2026-05-13 concluding that Clinical Diagnostics LCPL BV and NMDL BV (Rijswijk) did not meet the mandatory NEN 7510 information-security standard at the time of their July 2025 ransomware breach, and had not fully remediated the deficiencies as of IGJ's December 2025 follow-up inspection (IGJ, 2026-05-13; native title: "Clinical Diagnostics voldeed niet aan wettelijke norm voor informatiebeveiliging" — "Clinical Diagnostics did not meet the statutory information-security standard"). NEN 7510 is the Dutch statutory information-security baseline for healthcare organisations under the Wabvpz, structurally aligned with ISO/IEC 27001 but extended for health-data obligations; non-compliance is independently actionable by multiple regulators.

IGJ's two named failures are foundational rather than technical: (1) no independent audit of the laboratory's information security had ever been performed, and (2) the organisation had not periodically assessed its processing risks, leaving it unable to determine which controls were necessary. The July 2025 breach — Computable's prior reporting attributes it to the Nova ransomware group — exposed approximately 941,000 patients' personal and medical records, including cervical-cancer screening results processed for the population-screening programme Bevolkingsonderzoek Nederland (Computable, 2026-05-13). IGJ has no fining power and has demanded short-term independent NEN 7510 certification; Autoriteit Persoonsgegevens (Dutch DPA), whose GDPR enforcement carries fines, is running a parallel investigation. IGJ also signalled sector-wide enforcement intent by publicly calling for all healthcare providers to demonstrate independent certification — a leading indicator of broader inspection cadence.

For a Swiss SOC the parallel is direct: NEN 7510 is the regulatory analogue of the EPDG (Bundesgesetz über das elektronische Patientendossier) security profile, and the two specific failures — absence of third-party audit, absence of periodic risk assessment — are the same hygiene-baseline gaps Swiss healthcare providers face under cantonal supervision. The breach scale (941k records, mass-screening data) is the proximate consequence of those structural gaps; the operationally useful read for defenders is detection of NEN-7510-style baseline gaps via third-party assessment, not signature hunting.