A Dutch IT firm has exemplified a severe failure in data protection measures, following the troubling discovery of multiple hard drives containing sensitive medical information for sale at a flea market in Belgium. This incident was initially reported by Dutch broadcaster Omroep Brabant, which highlighted that Robert Polet, a 62-year-old resident of Breda, stumbled upon the drives priced at approximately €5 each during a stopover on his journey home.
Upon examining the drives, Polet was taken aback to find them filled with medical records dating from 2011 to 2019. The data included personal identifiers such as Dutch citizen service numbers (BSN), birth dates, addresses, prescriptions, and other medical details of individuals from regions like Utrecht, Delft, and Houten. After alerting the healthcare organization responsible for the data, Polet learned that it had originated from an IT company, Nortade ICT Solutions, which is no longer in operation.
Nortade ICT Solutions had previously developed software for the healthcare industry, but the circumstances that led to the hard drives ending up for sale remain unclear. In an effort to retrieve the remaining drives, Polet returned to the flea market, yet faced communication obstacles that prevented him from determining the original source of the items.
Rick Goud, CIO and co-founder of the email security and file transfer platform Zivver, remarked on the incident as every organization’s ‘worst nightmare,’ albeit not entirely unexpected. Goud expressed concern that the hardware mismanagement reflects a broader disregard for data protection practices prevalent in the past when healthcare data security was not prioritized. This occurrence points to a severe lapse in oversight, highlighting the risks associated with untreated hardware—adversary tactics that could align with initial access and persistence as outlined in the MITRE ATT&CK framework.
Goud noted the shift in the landscape of data protection over the past decade, credited largely to heightened regulatory scrutiny and the introduction of standards such as ISO 27001 and NEN 7510. These frameworks delineate protocols for safeguarding data and phasing out outdated storage solutions. Yet, he warned that many organizations might still fall prey to security vulnerabilities, particularly those outsourcing data management to third parties without rigorous due diligence.
Victoria Horden, a partner and data protection specialist at global law firm Taylor Wessing, emphasized that both Nortade and the healthcare organization retaining its services could come under regulatory examination. She indicated that health organizations need to conduct thorough due diligence before engaging third-party providers to ensure adequate data security protocols are in place. The repercussions of such incidents could lead to investigations and enforcement actions from data protection authorities.
Regulatory frameworks like ISO 27001 and NEN 7510, which have become legally enforceable over the last few years, contribute to what Goud identifies as a significant mindset shift in the industry regarding data protection. He estimated that while only a small percentage of healthcare suppliers possessed such certifications a decade ago, compliance rates in the Netherlands now approach 70 to 80%.
In conclusion, this incident not only demonstrates a critical failure in data governance but also provides vital insights into the evolving landscape of cybersecurity in the healthcare sector, underscoring the necessity for stringent data protection practices and enhanced awareness of associated risks. The intersection of lax data management and rising regulatory expectations may serve as a pivotal moment for many organizations navigating the complexities of safeguarding sensitive information.
