The data of thousands of customers of a provider of, among other things, blood tests for home have been leaked.
It concerns names, e-mail addresses, places of residence and zip codes of an estimated more than six thousand people who have been customers of the North Holland company Labonovum since March 26, 2020.
The names and address details were publicly accessible for an unknown period of time via the site of Labonovum's brand name PostYourLab.
The datasets do not contain any other personal data, test results or other medical data.
The leak was closed soon after NU.nl contacted the company.
NU.nl was informed via tip platform Publeaks that the data was public.
Among other things, Labonovum offers tests in which people can send a number of drops of blood to a laboratory.
Based on this, the company promises to be able to say, among other things, whether antibodies against the corona virus can be found in the blood.
Director Richard Monkel does not want to say in conversation with NU.nl whether those tests have mainly been popular in the past year.
In addition to tests for corona antibodies, Labonovum offers "a whole package of diagnostics".
Monkel says a hacker has broken into a server where customers can place orders.
Labonovum plans to file a report with the police, says the director.
He also promises that affected customers will be informed by email on Monday.
Despite the promise, data has not been deleted
The PostYourLab site states that Labonovum stores address data for thirty days and then deletes it.
It also states that the company "never [will] have the name of the customer".
The leaked data shows that this is not true.
Monkel acknowledges that Labonovum does not properly explain how the company handles personal data with that text.
The text will not be changed, but from now on this data will be deleted after thirty days, just like with other customer data, he says.
The company is still investigating whether it should report the incident to the Dutch Data Protection Authority (AP).
Notifying the supervisor is mandatory if a leak is likely to entail a risk for those involved.
This news came about after a tip to NU.nl. Do you also want to share something? Read here how you can reach the editors. Contact with our journalists is always confidential.
This news came about after a tip to NU.nl.
Do you also want to share something?
Read here how you can reach the editors.
Contact with our journalists is always confidential.