Arnhem, 9 April 2026 – Domain name management at Dutch hospitals is showing modest improvement compared to a year ago, but remains far from adequate. That is the conclusion of research conducted by SIDN, the Dutch registry responsible for the .nl domain.
SIDN identified and investigated over 600 domain names resembling those of hospitals and university medical centres (UMCs) in the Netherlands. The findings reveal that 30.8% of the investigated domain names are not registered in the name of the hospital or UMC itself – an improvement on the 35% recorded in 2025. Hospitals in particular have made meaningful progress: the proportion of domain names not registered in their own name fell from 30% to 20%.
Hospitals lead the improvement
At just under half of all investigated domain names (49%), administrative records were fully in order – up slightly from 46.9% in 2025. Again, hospitals account for most of this progress: the share of domain names managed correctly rose from 53.7% to 59%. Notably, this improvement is driven by a number of hospitals that conducted a thorough clean-up of their domain name portfolios last year, updating all registration details and transferring ownership to the hospital itself, with the in-house IT department listed as the point of contact.
Domain names registered to third parties
A recurring problem is domain names that are not legally owned by the hospital or medical centre. In many cases, the domain name is registered to a third party such as an IT service provider or marketing agency, and sometimes to an individual doctor or researcher. This typically happens out of convenience: a member of staff or external party quickly registers a domain name without involving the IT department.
When that service provider relationship ends, or when the employee leaves the organisation, serious problems can follow. These domain names are often still trusted by internal mail servers and applications. A malicious actor could re-register them and use them to gain access to sensitive data. A further, frequently overlooked risk is that the domain names are legally the property of the IT supplier. If that company goes into administration, the domain names become part of the assets managed by the insolvency practitioner.
Incorrect contact details
The proportion of domain names with incorrect contact details rose over the past year, reaching 11.3% of investigated cases. Both hospitals (from 9% in 2025 to 13.9%) and medical centres (from 2.5% to 9%) recorded a significant increase. In these cases, registration details may list a personal email address belonging to a member of staff, an external web design agency, or another individual. When contact details are not in the name of the organisation, the domain name can be transferred or cancelled without the healthcare institution’s knowledge.
SIDN observed the same pattern as in 2025: many “friends of” or staff association websites fall outside hospital ownership and management, yet use the institution’s branding and logos. Also notable is the rising number of websites used for patient-reported outcomes measurement – so-called PROMS sites – which are used to assess patient health, quality of life, and functioning. These are frequently managed by external parties and styled entirely in the hospital’s house style. The risk in all these cases is that such sites fall outside the awareness of the hospital’s IT managers or security staff, yet are trusted by both patients and employees.
Gambling sites and anabolic steroids
The consequences of poor domain name management are illustrated by examples SIDN’s researchers encountered during the study. Multiple gambling sites were found exploiting hospital names in their domain names – often websites that once belonged to a healthcare provider but were allowed to lapse. Because these domains carry a high trust score in Google, illegal online casinos have reused them to host gambling services. Researchers also came across a website offering anabolic steroids, hosted on a domain name that previously belonged to a medical centre.
Typosquatting
The research also uncovered domain names likely registered for malicious purposes. In 6.2% of cases, the domain name constitutes typosquatting: a name that closely resembles a brand or organisation but contains a deliberate spelling error (for example, “…zieknhuis.nl”). Regular monitoring of an organisation’s own name is an effective countermeasure, and also a necessary one, given that typosquats are frequently used for fraudulent purposes.
Awareness improving
Martijn Sanders, Product Owner SIDN Brand Monitoring at SIDN, commented: “We can see that awareness within hospitals has improved, but overall – and particularly among the UMCs – further steps are still needed. When organisations think about digital threats, they typically focus on data theft or system intrusion. But domain names are also vulnerable and, for that reason, a popular target for malicious actors.”
Sanders noted that hospitals and medical centres that contacted SIDN following last year’s research have made considerable progress within a single year: “The organisations we spoke with have taken concrete steps to reclaim control of domain names that were not managed in-house. For those institutions, this problem has been almost entirely resolved.”
About SIDN
SIDN manages the .nl domain and ensures that all registered domain names – now numbering over six million – remain accessible on the internet. Its systems process more than four billion queries daily. SIDN also develops services and solutions to make digital life safer and easier, and its research team, SIDN Labs, creates new technologies to enhance the stability and security of .nl, the DNS, and the wider internet infrastructure.
The editor is not responsible for the contents of this press release
