It was impossible to ignore in the Netherlands in recent weeks: the data breach at Clinical Diagnostics, the laboratory that processes cervical cancer tests for the Dutch National Screening Program (Bevolkingsonderzoek Nederland). Where did the Program fall short?

Subscribe to our monthly English newsletter

This article previously appeared as the foreword of our monthly newsletter. Want to receive this newsletter directly in your inbox? Sign up at:

 Criminals recently accessed IT systems of a Dutch laboratory, Clinical Diagnostics. This laboratory, operating on behalf of the Dutch National Screening Program, performs tests to assess cervical cancer risks. Last year I did a test and I recently received a letter that my personal data was part of the data leak.

The Dutch National Screening Program disclosed the breach to the media relatively quickly and started informing affected people. However, the letter could have been better.

Firstly, the letter doesn’t clarify which data was leaked. In some cases, more data was leaked than in others. I can only guess which group I was a part of, and I'm not sure if the lab itself knows.

Additionally, victims are advised to remain vigilant of the possibility of abuse of their personal data. How such abuse could be recognized isn’t clarified. It would have been better if the letter explicitly mentioned phishing risks and gave a number of examples.

The most harrowing part? The Dutch National Screening Program sees no reason to be concerned about future tests, because these tests would be administered by a different laboratory. That way, any new tests you participate in would be in safe hands according to the Dutch National Screening Program. And that is a promise that the Dutch National Screening Program simply cannot and should not make.

As soon as personal data is processed, the risk of a data breach is there. There is no such thing as a 100% guarantee that a system is secure.

Our privacy regulations are centered on giving people control over their personal data, especially when an incident like this takes place. However, false promises on future data security and not having to worry are of no help. Presenting a fair and true view on risks and how to act does help. And in that regard, the Dutch National Screening Program has fallen short.