GGD COVID-19 health data sale

In January 2021, the Netherlands' GGD (Gemeentelijke Gezondheidsdienst — the municipal health services responsible for COVID-19 testing and contact tracing) suffered a major insider-driven data breach. Call-centre staff with legitimate access to national pandemic systems stole the personal data of Dutch citizens and sold it on encrypted chat apps, exposing one of the most sensitive databases assembled during the pandemic.

What happened

The GGD operated two central COVID-19 systems: CoronIT, holding the personal details of everyone who booked or took a coronavirus test, and HPzone Light, a source-and-contact tracing system. To staff the national testing operation, the GGD rapidly hired thousands of call-centre workers — many of whom were granted broad access to these systems with limited vetting and weak monitoring.

In December 2020, journalists at RTL Nieuws discovered that personal data clearly originating from GGD systems was being advertised for sale on Telegram, Snapchat and Wickr. Sellers offered individual records — names, home addresses, email addresses, phone numbers, dates of birth and the BSN (Burgerservicenummer), the Dutch equivalent of a social security number — for roughly €30 to €60 per person, with bulk datasets of thousands of citizens sold for thousands of euros.

Impact

The exposed fields, especially the BSN, are exactly what is needed for identity theft and fraud, making the breach unusually dangerous despite the absence of a technical "hack."
Dutch police arrested two GGD call-centre employees on 23 January 2021, followed by a third suspect days later.
The scandal triggered emergency parliamentary scrutiny and forced the GGD to acknowledge that the leak had been ongoing for months before detection.
The GGD engaged Fox-IT to forensically review CoronIT logs and to monitor GGD GHOR logs until automated, continuous monitoring went live at the end of March 2021.

Why it matters

The GGD case is a textbook insider-threat and access-governance failure. The breach required no malware and no software vulnerability — just over-broad access, inadequate logging, and the absence of real-time monitoring across a hastily scaled workforce. It underscored that pandemic-era systems, built and staffed under extreme time pressure, concentrated highly sensitive national data without commensurate controls. The incident became a reference point in Dutch debates over health-data governance, the privacy risks of the BSN, and the need for least-privilege access and continuous audit logging in critical public systems.

Timeline

December 1, 2020

RTL Nieuws journalists discover GGD personal data being offered for sale on Telegram, Snapchat and Wickr chat services.

January 22, 2021

RTL Nieuws publicly reports the illegal trade in GGD COVID-19 data, prompting an investigation.

January 23, 2021

Two GGD call-centre employees are arrested on suspicion of stealing and selling citizens' data.

January 25, 2021

A third suspect is arrested as the police investigation widens.

January 28, 2021

Reports indicate the data leak had existed for months due to weak access controls and monitoring.

March 1, 2021

GGD, assisted by Fox-IT, implements automated continuous log monitoring of the CoronIT system.

Sources

computerweekly.comhttps://www.computerweekly.com/news/252495983/Data-of-thousands-of-Dutch-citizens-leaked-from-government-Covid-19-systems

healthcareinfosecurity.comhttps://www.healthcareinfosecurity.com/2-arrested-for-alleged-theft-covid-19-patient-data-a-15856

schneier.comhttps://www.schneier.com/blog/archives/2021/01/dutch-insider-attack-on-covid-19-data.html

nltimes.nlhttps://nltimes.nl/2021/01/28/private-data-leak-ggd-covid-system-existed-months-report

Related incidents

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

RansomwareResolvedAugust 1, 2021

Lazio Region ransomware attack

A RansomEXX ransomware attack encrypted the datacenter of Italy's Lazio Region, knocking the COVID-19 vaccination booking portal offline for days and triggering a domestic terrorism investigation.

Victim: Regione Lazio

Data breachinvestigatedMay 20, 2021

BPJS Kesehatan data leak

Personal data on an estimated 279 million Indonesians — more than the country's living population — was scraped from the national health-insurance agency BPJS Kesehatan and offered for sale on the RaidForums hacking forum.

Victim: BPJS Kesehatan
Records: 279.0M

RansomwareContainedMay 14, 2021

HSE Ireland Conti ransomware national healthcare shutdown (2021)

Conti operators tricked an HSE user into downloading a booby-trapped Excel attachment; the resulting ransomware forced the Health Service Executive to shut down all of Ireland's healthcare IT systems and exfiltrated 700 GB including COVID-19 vaccination PHI. Recovery cost exceeded €100 million.

Victim: Health Service Executive (HSE) of Ireland
Loss: $110.0M