Dutch police arrest hacker who breached healthcare software vendor

The Dutch police have arrested a 19-year-old man in western Netherlands, suspected of breaching the systems of a healthcare software vendor in the country, and stealing tens of thousands of documents.

These documents might contain sensitive personal and medical data of patients of healthcare providers using the company's systems. At this time, it has not been determined if the hacker shared or attempted to sell the stolen data, as is common in data breaches.

The police traced the man after receiving a report from the hacked company and are currently examining the evidence collected during the arrest at the suspect's home.

While the police's announcement does not name the company that was breached, BleepingComputer found a press release from Dutch technology company Nedap, disclosing a hacking incident of its Carenzorgt.nl portal.

Carengzorgt is a medical portal used by 9,023 healthcare providers and almost half a million active users, offering features like appointment booking, doctor-patient and family-patient communication, and medical data safekeeping.

"In the morning of Monday, 17 October 2022, Nedap was made aware of a vulnerability in the Carenzorgt.nl system, a digital health environment," explains the press release.

"Nedap investigated the vulnerability, resolved it immediately, and then initiated an investigation into the possible impact of this incident."

"This revealed that this vulnerability was recently misused. Documents offered by healthcare providers through Carenzorgt.nl have been downloaded unauthorized."

The alarming finding made Nedap contact the law enforcement authorities, as the medical data of many people were in the hands of an unknown network intruder.

Simultaneously, Nedap informed the healthcare providers using the breached portal about the security incident.

The company has seen no evidence of the stolen documents being circulated on the internet, but the investigation on that front is still ongoing.

Nedap highlights that despite the annual external audits by certified bodies and penetration testers that have helped them discover and fix vulnerabilities in its products, some undetected security flaws remained.