ctipilot.ch

Clinical Diagnostics LCPL / NMDL (NL) — Dutch IGJ ruling: failed NEN 7510 information-security standard at time of July 2025 Nova ransomware breach; ~941,000 patients incl. cervical-cancer screening

incident · incident:clinical-diagnostics-nmdl-igj-2026

Coverage timeline
1
first 2026-05-14 → last 2026-05-14
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
active_threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-14CTI Daily Brief — 2026-05-14
    active_threatsIGJ 2026-05-13 public finding — no independent audit + no periodic risk assessment cited as foundational failures; parallel AP GDPR investigation; sector-wide enforcement signalled.

Where this entity is cited

  • active_threats1

Source distribution

  • computable.nl1 (50%)
  • igj.nl1 (50%)

Related entities

All cited sources (2)

Items in briefs about Clinical Diagnostics LCPL / NMDL (NL) — Dutch IGJ ruling: failed NEN 7510 information-security standard at time of July 2025 Nova ransomware breach; ~941,000 patients incl. cervical-cancer screening (1)

Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed

From CTI Daily Brief — 2026-05-14 · published 2026-05-14 · view item permalink →

The Dutch Health & Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd, IGJ) issued a public finding on 2026-05-13 concluding that Clinical Diagnostics LCPL BV and NMDL BV (Rijswijk) did not meet the mandatory NEN 7510 information-security standard at the time of their July 2025 ransomware breach, and had not fully remediated the deficiencies as of IGJ's December 2025 follow-up inspection (IGJ, 2026-05-13; native title: "Clinical Diagnostics voldeed niet aan wettelijke norm voor informatiebeveiliging" — "Clinical Diagnostics did not meet the statutory information-security standard"). NEN 7510 is the Dutch statutory information-security baseline for healthcare organisations under the Wabvpz, structurally aligned with ISO/IEC 27001 but extended for health-data obligations; non-compliance is independently actionable by multiple regulators.

IGJ's two named failures are foundational rather than technical: (1) no independent audit of the laboratory's information security had ever been performed, and (2) the organisation had not periodically assessed its processing risks, leaving it unable to determine which controls were necessary. The July 2025 breach — Computable's prior reporting attributes it to the Nova ransomware group — exposed approximately 941,000 patients' personal and medical records, including cervical-cancer screening results processed for the population-screening programme Bevolkingsonderzoek Nederland (Computable, 2026-05-13). IGJ has no fining power and has demanded short-term independent NEN 7510 certification; Autoriteit Persoonsgegevens (Dutch DPA), whose GDPR enforcement carries fines, is running a parallel investigation. IGJ also signalled sector-wide enforcement intent by publicly calling for all healthcare providers to demonstrate independent certification — a leading indicator of broader inspection cadence.

For a Swiss SOC the parallel is direct: NEN 7510 is the regulatory analogue of the EPDG (Bundesgesetz über das elektronische Patientendossier) security profile, and the two specific failures — absence of third-party audit, absence of periodic risk assessment — are the same hygiene-baseline gaps Swiss healthcare providers face under cantonal supervision. The breach scale (941k records, mass-screening data) is the proximate consequence of those structural gaps; the operationally useful read for defenders is detection of NEN-7510-style baseline gaps via third-party assessment, not signature hunting.