Unfortunately, once again the money flows in the wrong direction—straight into the hackers’ pockets. Could Fryqua have prevented this ransomware attack?

A ransomware group called Nova, which carried out the cyberattack, confirmed to Dutch news outlet RTL Nieuws that a ransom was indeed paid.

The Dutch current affairs program Nieuwsuur (a nationally broadcast investigative news show) devoted extensive coverage to the incident last Monday (August 11,2025). Present were Jeroen Wollaars, Elza den Hartog (Chair of the Population Screening Authority), and Bart van der Sloot, Associate Professor of Privacy Law at Tilburg University.

Elza: “It happened at an external laboratory. We do have agreements on information security and we audit those to ensure compliance, but despite that, this still happened.”

Bart explained clearly what hackers can do with the data:
– Demand money from the affected party to prevent public disclosure.
– Sell it on the dark web to criminal organizations.
– Approach the affected citizens directly to blackmail them by threatening to reveal their results. People must therefore stay alert.

Jeroen: “You just said you’ve known about this since August 6. But it’s also clear that between July 3 and 6—so a month earlier—the lab was notified that their data was circulating online, on the dark web. What do you think about the fact that it took a month before you were informed?”

Elza: “I find that shocking! It’s also not in line with the agreement—they should have informed us within 24 hours. It’s very serious that they failed to do so.”

Bart added that legally, this is also not allowed. By law, such incidents must be reported immediately.

Jeroen: “So you’re saying this company is simply breaking the law right now?”

Bart: “Yes, it seems so on many fronts.”

Jeroen: “Which other aspects?”

Bart: “At the very least, the security standards were inadequate. The reporting obligation was not fulfilled. And judging by their response, it appears they actually did not want to report this incident at all and instead tried to cover it up, which is utterly irresponsible.”

Jeroen: “The Dutch Data Protection Authority published last year which sectors report the most data breaches. Health and welfare were number one by far. How do you explain that?”

Bart explained that healthcare data is the most sensitive, and the problem is that in the medical sector, security standards are still insufficient—which is quite alarming.

Bart concluded: “I also think it’s important that medical practice now really starts learning lessons and takes these kinds of technical security measures much more seriously.”

My (Aukje’s) advice to all involved parties:
Gain insight into your data, monitor activities, and keep track of who has access. Get in touch with Fryqua—we’ll show you how we can raise the technical security standards and data protection of your organization to a higher level.