Full names, home addresses, dates of birth, medical information: hard drives containing sensitive and personal information of hundreds of patients have been sold at a flea market.
It was 62-year-old Robert Polet from the Netherlands who bought these external hard drives. When he connected them to his computer to see what was on them, he was shocked.
To his surprise, he found folders containing sensitive and personal information of hundreds of patients, covering the period between 2011 and 2019.
“That was quite a shock. I thought: how could something like this happen? My sister or I could have easily been on there,” he told regional news outlet Omroep Brabant.
The folders included documents revealing numerous patients' personal and medical information, such as full names, home addresses, dates of birth, social security numbers, medicine use, information on general practitioners and pharmacies, and so on.
One of the affected healthcare organizations confirmed to Robert that the data originated from a company called Nortade ICT Solutions. It used to be a company that provided software for the healthcare sector, but is no longer around.
A week later, Robert returned to the flea market at airport Weelde to buy the other hard drives. How the seller obtained the hard drives remains unclear. “I’m just happy they ended up with me instead of criminals,” he said.
The law stipulates that storage media containing medical information or other sensitive data must be professionally erased. This case, however, shows this doesn’t always happen.
Stefan Kasbergen, Director of ASK Mobile Archive and Data Destruction, says he might have an explanation of what happened.
“As a company, you can choose to have your data properly destroyed. But you’ll have to pay for that. Or you can sell storage devices as ‘refurbished’ and collect some money. You can probably guess what happened here.”
Kasbergen suspects that the hard drives came from a bankruptcy sale and ended up at a flea market. “That way, a curator gets some money at least.”
Robert has approached a number of general practitioners, pharmacies and healthcare institutions to inform them about the data breach. In addition, he contacted the Dutch Data Protection Authority (DPA) to tell them about his discovery.
Your email address will not be published. Required fields are markedmarked