back to article Hundreds of Dutch medical records bought for pocket change at flea market

Typically shoppers can expect to find tie-dye t-shirts, broken lamps and old disco records at flea markets, now it seems storage drives filled with huge volumes of sensitive data can be added to that list. Robert Polet, a 62-year-old techie and apparent bargain hunter from Breda, a city in the southern part of the Netherlands …

  1. Doctor Syntax Silver badge

    As the company no longer exists no action can be brought against them. That just leaves the directors. We can but hop.

    In the meantime does this leave Robert with the costs of certified erasure now he's in possession of the drives?

    1. IamAProton

      It would be more interesting doing some research about that company and see if data of any of the people responsible for this are in those disks. Then make it public.

      I'm quite sure "the internet" can help to find out who they are.

    2. cyberdemon Silver badge
      Trollface

      After erasing them with random data, he should take them to the dump in Newport

      Then he could recoup his costs by pretending he found them there and selling them on to a complete chump.

    3. rafff

      As the company no longer exists no action can be brought against them

      It depends on the jurisdiction. IANAL but as I understand it in the UK a limited company protects the directors and shareholders from financial liability, but not liability for dodgy behaviour. In France I believe it is the other way around. In NL, I dunno.

      1. Doctor Syntax Silver badge

        Re: As the company no longer exists no action can be brought against them

        Buried somewhere in GDPR is a provision for making people personally responsible so that should be an option in any jurisdiction where GDPR applies.

      2. chivo243 Silver badge

        Re: As the company no longer exists no action can be brought against them

        There's BV and NV and I don't see either attached to the company name.

        https://www.startingabusinessnl.com/starting-a-bv/about-a-bv/differences-bv-nv/

        Also a BV gives more flexibility in arranging the articles of association. For instance, the articles of association of a BV can determine that the shareholders can be held liable for the debts of the BV. The articles of association can also restrict the transferability of the shares or determine that the issued shares do not have any voting rights or profit rights.

      3. Alan Brown Silver badge

        Re: As the company no longer exists no action can be brought against them

        Shareholders are financially protected. Directors vastly less so.

        On paper anyway

        Dodgy behaviour includes quite a number of (unlawful) practices that have become normalised over the last 3 decades of tory(*) "light touch" regulation and holding directors responsible usually gets met with handwaving about it bring "too hard"

        The effective result is that it's become a Wild Wild West that's only just starting to be reined in by regulators who've been systematically short-funded for decades as a deliberate ploy to keep them toothless

        (*) Both the Thatcher type and the Blair type.

        YMMV in other countries. USA is arguably much worse whilst Germany much better

    4. abend0c4 Silver badge

      As the company no longer exists no action can be brought against them

      As they were not a medical company, but a software company, the medical data must have come from somewhere else. It's possible the "somewhere else" might be responsible, It's also possible, if the defunct company had been entrusted with secure erasure, that the liquidators might be responsible if these were treated as valueless assets to be casually disposed of. But I suspect the expenditure of effort to assess any potential liability might be seen as burdensome by the regulator.

      1. rskurat
        Facepalm

        "burdensome" by the regulator

        heaven forbid companies being required to adhere to agreements & regulations, that wouldn't do at all. Such a burden!

      2. Alan Brown Silver badge

        Dutch regulators are vastly less inclined to wave the "too hard" flag than British/American ones

    5. Ian Johnston Silver badge

      We can but hop.

      Like a one-legged man in an arse-kicking contest?

  2. MachDiamond Silver badge

    I've got a stack

    One of my clients got into a business that transitions seniors to new housing and handles the disposal of estates. I've wound up as their "computer guy" that can go through the drives and pull out anything that the family may want or need and then securely wipe the drives. In practice, the securely part is reformatting them and using them myself for backups. If the computer will be refurbished, I'll be more thorough. My pay is all of the used computer gear I want. Anything that's still moderately useful get a fresh OS install, some open source apps and winds up available to anybody that has a need, but doesn't have the money. The local churches and schools always seem to know somebody that can use one. My schedule is so erratic that it's hard to commit to volunteering somewhere, but this I can do.

    1. Geoff Campbell Silver badge
      Pirate

      Re: I've got a stack

      A few years back, a friend of mine died. I volunteered to help his widow clear out his hoard of, well, everything, really. We had a decent wake in my shed during which we recommissioned a couple of motorbikes he'd owned for decades, which I'm sure he would have enjoyed.

      Anyway, after that, I started in on his hoard of computer gear. He'd spent about four decades tinkering with his own computers, and supporting a couple of small organisations and his entire extended family. And he'd never thrown anything away. There were several rooms and a decently large shed packed with bits of old computers, including every hard disk and memory stick he'd every used, replaced, or stored. Some were dated, including 5.25" SCSI units from 1984.

      I bought two large car-loads back home and spent a very therapeutic couple of weeks recovering what data I could, which all fitted onto a single modern hard disk, then introducing the disks to a pillar drill and sledgehammer before dropping the remains off at the tip.

      GJC

  3. Anonymous Coward
    Anonymous Coward

    proper test data

    How would a software company end up with sensitive data? Well you need realistic data to test with don`t you? So here, take this old backup. We don`t need it anymore. ...

    1. tiggity Silver badge

      Re: proper test data

      Maybe they hosted non cloudy sites / APIs to access such data and so data was stored with them?

      Maybe they converted data from one format to another / extracted subsets of data for customers?

      etc..

      I can think of lots of reasons they may have the data, but not any reasons for it not being deleted as soon as not required as per GDPR.

    2. gzuckier

      Re: proper test data

      We always used "synthetic" test data for all the stuff we wrote. And we weren't even professional "software engineers."

      1. AbominableCodeman

        Re: proper test data

        That's fine for isolated systems, a tad harder for integeration and similar, where your project has to talk to another data source that expects to have matching records and state.

  4. DartfordMan

    Why Trust The Authorities

    No doubt people had been assured their data were safe. If anybody is brought to book then an official statement will be 'lessons have been learned' (in Dutch). And when the next sorry loss of personal information is carelessly treated we will hear the same excuses. Any failsafe protection protocols are dependent upon the humans who run them, and humans are lazy, feckless and untrustworthy.

  5. Marty McFly Silver badge
    Go

    Remote data destruction

    I have e-wasted many computers over the years, but none contained a hard drive. Those are all pulled, set on a bench, and destroyed from 100 yards away. A well placed .308 will go right through, but a .22lr will just dent it drive.

    Totally legit. Physical destruction of the storage media is just as acceptable as making multiple passes, writing ones & zeros to meet DoD 5220.22-M.

    Cheaper too. And when done in quantity it can be an IT team building exercise....though the BOFH may debate whether it should be held off-site or not.

    1. Hubert Cumberdale Silver badge

      Re: Remote data destruction

      I take it you're in the US, as finding a firearm in the UK to carry out such destruction would be nigh-on impossible (and quite rightly, in my opinion). Although it does sound like a good way to let off steam. I would argue that a pickaxe/sledgehammer would likely work as well and be even cheaper.

      As for that DoD nonsense – I would argue that unless the person trying to get your data has the resources of a national government and the motivation of that idiot looking to buy a landfill site, simply overwriting with a single pass of zeros would do it.

      1. GNU Enjoyer
        Angel

        Re: Remote data destruction

        >as finding a firearm in the UK to carry out such destruction would be nigh-on impossible

        Even in the UK you could find someone with a powerful enough rifle without much difficulty, although the UK challenge is shooting the HDDs without getting arrested.

        >has the resources of a national government and the motivation of that idiot looking to buy a landfill site, simply overwriting with a single pass of zeros would do it.

        A single pass of zeros will render the data on any modern HDD unreadable, considering that the data from a single modern platter with a single pass of 0 has never been recovered.

        A requirement for multiple random passes makes it inconvenient to format a drive and the end result of that is drives getting dumped without even a filesystem delete.

        1. Lord Elpuss Silver badge

          Re: Remote data destruction

          "Even in the UK you could find someone with a powerful enough rifle without much difficulty"

          It would be extremely difficult.

          1. imanidiot Silver badge

            Re: Remote data destruction

            No it really wouldn't. There's plenty of hunters and sports shooters in the UK. Most of whom would have rifles (if they shoot long guns) capable of destroying a harddrive.

            1. Hubert Cumberdale Silver badge

              Re: Remote data destruction

              There may be several "sports" shooters around, but I don't know any. Hence, finding one would be, for me, extremely difficult. I'm hardly likely to be well received just rocking up at a rifle range and asking to borrow a gun to shoot up some shit like Elvis with a TV. Bearing in mind I'm comparing this to the US, where you get a free handgun with every packet of cornflakes.

          2. chris street

            Re: Remote data destruction

            It really wouldnt be that tricky at all. There would be several hundred thousand licence holders that have such firearms in the UK, I've got a couple in the safe here....

            The problem would be doing so safely on a rifle range. Not an impossible task though.

            1. Hubert Cumberdale Silver badge

              Re: Remote data destruction

              Okay, tell me how to go about it. I personally know nobody with any kind of firearm (unless they're keeping very quiet about it). Do I just start knocking on random doors and asking...?

              Just for fun, let's see how that would go in the UK. There were 147,140 holders of firearm certificates in 2023 (excluding shotguns, which wouldn't be great for destroying a hard drive). There were approximately 28.4 million households in the United Kingdom in 2023. Back of the envelope, ignoring various second-order things that probably largely cancel out, This gives me a chance of slightly better than 1 in 200 for every door I knock on. I suspect that I'd be having words with a friendly officer before I'd got to a dozen.

              I concede that, as a nation with more guns than people, the whole "shooting your hard drive" thing would be a lot easier in the US.

        2. Alan Brown Silver badge

          Re: Remote data destruction

          "considering that the data from a single modern platter with a single pass of 0 has never been recovered"

          DOD erase and all the other multiple pass processes was described by Peter Guttman as "unncessary voodoo" in 1995. All of those processes assume 1970s-era hard drives with very low track/bit density and low levels of head absolute positioning repeatability.

          Voice coil hard drives with a servo track have absolute repeatability down to low enough tolerances that there has been essentially no "track slop" for 30+ years (when was the last time you purchased a new drive that used stepper motors to position the heads?)

          1. EnviableOne

            Re: Remote data destruction

            if you need the data, the Center for Memory and Recording Research at UC San Diego did it all.

            They proved unless you can move the heads of the centre of the track, multiple overwrites make no difference.

            They also developed an OS tool to trigger the secure erase unit command

      2. Alan Brown Silver badge

        Re: Remote data destruction

        "I would argue that a pickaxe/sledgehammer would likely work as well and be even cheaper."

        This is an area I looked into quite heavily a while back as I had _thousands_ of old drives to deal with and secure erase really isn't worth the time for old drives if you can just render them unusable(*)

        The best (aka most cost effective) solution I found was a device which would snap the drive in 2 lengthways, bending the platters and rendering them useless - anyone who wants to quote Peter Gutmann's atomic microscopy work should be aware of his followup paper where he was unable to replicate the results on 100MB "modern" drives let alone anything larger (the original tests were on 5 & 10MB stepper motor drives) - and as he also pointed out, when you're looking for 1Mb of data (about the practical maximum using atmoic microscopy) on a 10Gb drive, the odds are very much against you

        That said, these solutions weren't cheap. A basic disk shredder was $10-20k and the drive breaker was $5k - more if you want ones which don't need to be hand-fed individual drives

        Secure erase is time consuming, but repurposing an old 16-24 bay supermicro chassis and some suitably crafted scripts makes it "setup and walk away". Pillar drills (drill presss for American/Australian/Kiwi readers) are time consuming and messy

        HOWEVER: a 10-ton hydraulic bearing press (as used in automotive workshops) along with a few suitable chunks of steel used as anvils is _very_ cheap, relatively quick and suitable for small volumes of permanent disk destruction (I wouldn't use a hand pumped version for more than 10-20 drives, but the air driven ones can get you down to 20 seconds per drive with no secure erase needed)

        My overall preferred solution for more than 100 drives is this:

        There are several companies which offer onsite disk (and tape cartridge) shredding for quite reasonable prices (you can witness the mayhem and sign off on it) however my last employer absolutely refused to contemplate using these, preferring instead that I put hundreds of manhours into developing a secure erase process which still left us with mountains of small or worn out drives to get rid of

  6. rskurat

    unenforced regs everywhere you look

    Glad to know I can do anything I want with folks' personal data and there will be no consequences

  7. Anonymous Coward
    Anonymous Coward

    Nothing new

    In the 80s I was scavenging furniture from a local "donated used furniture for free" type place, and came upon several entire filing cabinets filled with medical records from the local world-famous hospital. Ob-gyn department, no less. I tried to blow the whistle anonymously to local newspapers, providing samples, but nothing happened, because I'm not in the habit of buying full page ads every week. Thus my anonymous posting, I still need to work in this town.

    Then lightning strikes again, ten years later, when I'm walking through a parking lot on a windy day when overflowing wastepaper from a nearby dumpster blew over and wrapped itself around my leg. Medical records from a local private practice, which I found were overflowing the dumpster and blowing around. Again the anonymous whistle blowing with samples, again nothing.

    My opinion: if medical personnel will randomly dump actual paper copies of medical records into insecure public trash, they will sure as heck not bother to wipe the hard drives they get rid of.

    Tangent note: in the 90s I was at a conference on the then still futuristic concept of electronic medical records. One speaker recounted how, when he was trying to sell a hospital on his product, and someone brought up "what about security from hackers?" he would call for a 15 minute break in the presentation; after which he would return to the podium, with a fistful of paper patient charts he had just grabbed from the nearest nurses' station when nobody was looking.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nothing new

      > My opinion: if medical personnel will randomly dump actual paper copies of medical records into insecure public trash, they will sure as heck not bother to wipe the hard drives they get rid of.

      In general many/most people see following documented/required procedures as annoying and will find easier ways to do things.

      I had the situation where a central Northern Ireland health service agency sent an email with some of my health-related personal data attached which was encrypted (that's good!) to my GP Practice via email. However the same person then sent the decryption password via a 2nd email to the GP Practice less than 1 minute after they sent the 1st email (WTF!). The same agency (same person I assume) then did exactly the same thing again about 1 week later.

      These were clear breaches of the agency's security policy which stated that decryption passwords must be sent via a different means (i.e. phone call, SMS, etc) than encrypted data.

      The ICO case officer who looked into this (as part of a large data protection complaint I raised) decided that the only action to be taken was that the agency should create a security policy to forbid such actions (despite the agency *already* having such a policy, a copy of which I had provided to the ICO as part of the original complaint)...

  8. gzuckier

    Aren't encrypted hard drives a thing?

    At one point my employer went through everybody's PCs and encrypted the hard drives, IIRC.

    1. MachDiamond Silver badge

      Re: Aren't encrypted hard drives a thing?

      "At one point my employer went through everybody's PCs and encrypted the hard drives, IIRC."

      If it isn't necessary, the downsides are problematic. Businesses would need a very robust way to escrow keys since somebody leaving could be a huge problem if there's no way to access the data on their computer.

      1. Cliffwilliams44 Silver badge

        Re: Aren't encrypted hard drives a thing?

        This is not hard! If you are in this profession and you think it is, maybe find a different one!

        The only issue is, if those responsible for the computers decommission a computer and remove it from the system that managed the keys (e.g Active Directory), you cannot revive the data, sorry, suck to be you!

  9. Conundrum1885

    Once found

    A microSD with NASA unreleased (at the time) data on it.

    Did the 'right thing' and contacted them, eventually the page it linked to (28C1Chksum) was taken down.

    Later on found out that someone had downloaded it to a card for 'research' and evidently messed up, the card had

    locked itself and couldn't be erased.

    Oddly enough it read as all zeros on my other card reader so it was half working.

    I experimented with erasng cards with this fault, turns out that it is quite feasible but the method isn't well known.

    1. Alan Brown Silver badge

      Re: Once found

      Let me guess: It requires SDI bit banging?

      I have a few such SDs (including some from "reputable" makers which failed this way after only a few weeks/hundred Mb - no they aren't fakes)

      The hardest part about dealing with this kind of issue is finding a SDcard reader which offers this level of assess. The alternative is dedicating a RasPi or similar to the job - AFTER working out how to make it boot from something other than the SDcard (for obvious reasons)

  10. TeeCee Gold badge
    Facepalm

    Obvious, really.

    ...used to be based in Breda before going out of business.

    Company goes bust, receivers flog off any assets, creditors and shareholders get almost bugger all back. There usually isn't much by way of handover of the assets concerned and the process tends to be along the lines of "auction it off and ignore any objections".

    Looks like there may be a bankruptcy shaped loophole in the legislation governing data destruction.

  11. CorwinX Bronze badge

    Back in the day, when I worked in the City...

    Decommissioning a drive from one of the RAID arrays meant a call to building maintenace to tip up with a quarter inch hammer drill.

    With acetone then poured then into the hole.

    Photographed and documented.

  12. Anonymous Coward
    Anonymous Coward

    Salt and acid

    Drill a decent sized hole in the Drive casing.

    Wallop said drive with a ball peen hammer, multiple times.

    Insert into bucket of salty pool water.

    Pour in 1 to 2 cups of hydrochloric acid.

    Leave for 1 week or until moisture evaporates.

    Bury.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like