Original research was done by Daniel Verlaan[0], who has uncovered data leaks related to COVID testing before[1].
In an email to people who had gotten an appointment from this "coronatestnu" company, all the recipients where addressed in CC[2].
It seems the required pentesting that is needed with these testing companies wasn't done correctly and will be looked at internally[3].
[0] https://twitter.com/danielverlaan/status/1416673022023458816
[1] https://www.zdnet.com/article/dutch-covid-19-patient-data-so...
[2] https://twitter.com/danielverlaan/status/1416700373230923776
[3] https://twitter.com/danielverlaan/status/1416687638896070656
