A Dutch IT company has demonstrated exactly how not to handle data protection after a number of hard drives containing sensitive medical data were found for sale at a Belgian flea market.
First reported in Dutch broadcaster Omroep Brabant, 62-year-old Robert Polet from Breda found the hard drives on sale for roughly €5 each in a flea market after taking a pit stop on his way back from Belgium.
Polet, a computer-crazy camera enthusiast, said that on returning to his home in Breda and inspecting the hard drives, he was shocked to find they were full of medical data from the period between 2011 and 2019.
The hard drives contained the Dutch citizen service numbers (BSN), dates of birth, addresses, prescriptions, and other medical information linked to individuals from the Utrecht, Delft, and Houten regions.
After contacting the affected healthcare organisation, based in Utrecht, Polet said he was informed the data originated from an IT company that no longer exists.
Nortade ICT Solutions used to develop software for the healthcare sector but exactly how the hard drives ended up at a flea market in Belgium is still unclear.
Polet told Omroep Brabant that once he had made the discovery he returned to the flea market to buy the rest of the hard drives, but could not ascertain where the seller had acquired them due to a language barrier.
“Nightmare” breach as “painful as anyone can imagine”
Speaking to ITPro Rick Goud, CIO and co-founder at email security and file transfer platform Zivver, described the incident as a business’ ‘worst nightmare’, but noted he was not totally surprised by the incident.
“It’s your worst nightmare right? If the company wasn’t already bankrupt they probably would be by now… It is not a surprise, but of course as painful as anyone can imagine a data leak to be.”
Elaborating on this, Goud said he feels the fact that this data managed to leak via improperly handled hardware was indicative of a period where data protection was not front of mind for some organizations working with healthcare data.
“What is interesting about this case is that it’s quite old data. I think it fits the mindset of how healthcare data was treated ten years ago,” he explained.
“It’s certainly not an excuse but it is something I do recognize from the early days when I started in healthcare. Around 20 years ago you could still walk around with DVDs inside a hospital and ask the administrator to install it and put it on the mainframe and they would just do it.”
He said that thankfully the risk profile attached to data leaks, especially those affecting health data, has meant businesses take cybersecurity and data protection more seriously over the last 10 years.
Attitudes around safeguarding data are changing
Goud attributed this improvement to a higher risk awareness driven by legislation and standards such as ISO 27001 and the NEN 7510 which set out procedures and best practices for data protection and deprecating old storage devices.
But he warned some businesses will run into this type of security weakness on a day-to-day basis, particularly when they have handed off the problem to a third party.
“They do not ask the vendor the right questions to ensure that a) as a healthcare provider they are sure that the vendor treats the data as well as they do it themselves but also think that basically by hiring somebody else to process your data that you are not responsible anymore and of course that is not true.”
Victoria Horden, partner and data protection specialist at global law firm Taylor Wessing, told ITPro that as well as Nortade itself the healthcare organization that contracted it could be subject to investigation.
"The health organizations that engaged Nortrade ICT Solutions would be required to carry out appropriate due diligence before appointing a third party provider and ensuring that data security to protect the data is adequate," Horden said.
"Therefore, to the extent this incident reveals a failure to do this, they could also be subject to investigation and enforcement action from the data protection authority."
Goud added that regulations like ISO 27001 and NEN 7510 have been around for some time but only became legally enforceable on healthcare organizations roughly four years ago, noting that he feels there has been a ‘mindset shift’ in data protection since then.
“So that has significantly changed practices, until then it was something that the early adopters that had the intrinsic motivation to adequately protect healthcare pursued because, of course, it's costly to go through that kind of certification process. Nowadays it is a must have,” he said.
“In 2011 to 2019 where this data is from you would see probably 2 – 3% of suppliers and healthcare organizations had that type of certification, nowadays I would say that it’s closer to 70 or 80% in the Netherlands at least.”
MORE FROM ITPRO
