Hundreds of Dutch medical records bought for pocket change at flea market

Typically shoppers can expect to find tie-dye t-shirts, broken lamps and old disco records at flea markets, now it seems storage drives filled with huge volumes of sensitive data can be added to that list.

Robert Polet, a 62-year-old techie and apparent bargain hunter from Breda, a city in the southern part of the Netherlands, inadvertently happened upon a 15GB trove of sensitive medical records after picking up a quintet of 500GB hard drives for €5 ($5.21) each.

And where exactly was this cybercriminal goldmine? At a flea market next to Weelde airbase, obviously.

He told broadcaster Omroep Brabant, which first reported the story (translated from Dutch): "A few weeks ago, I came back from Turnhout in Belgium. I was on my way home but stopped at Weelde [airfield] because I really had to go to the toilet. There was a flea market next to the airbase. I went to have a look and bought five hard drives of 500GB each for €5 each..."

Polet is a lifelong computer nerd and has worked with them for 30 years. "It's my passion and my life," he told the paper. When he's not at his day job working as a driver for people with disabilities, he's tinkering with tech "often for free, sometimes for a pack of tobacco."

He's also a keen photographer, which is why he decided to scoop up the flea market HDDs at a low price – more storage for his snaps and drone footage. 

After hooking them up when he returned home, Polet found medical data on the HDDs, including the Dutch equivalent of Social Security Numbers, dates of birth, home addresses, medication details, and other GP and pharmacy data. The records were from 2011-2019 and pertain mainly to individuals around the Utrecht, Houten, and Delft regions.

"That was quite a shock," he said. "I thought 'How could something like this happen'? My sister or I could easily have been among them."

Polet drove back to the flea market after making his discovery and bought the remaining ten hard drives from the same individual. "Luckily they were still there," he said.

The natural question to ask next is how the data came to be at a flea market, and to what organization did it belong?

Polet only looked at a small portion of the files – he examined just two of the total 15 disks – but that was enough to deduce the affected healthcare organization was an unidentified one based in Utrecht.

It told Polet the data originated from Nortade ICT Solutions, which used to be based in Breda before going out of business. An associated website has lapsed, The Reg notes. It was an IT company developing software for, you guessed it, the healthcare sector.

Dutch law mandates that storage devices like HDDs that contain medical data must be erased by a professional, and the erasure must be certified.

"The normal procedure is to have them destroyed by a professional company, but that costs money, and by selling the hard drives off the company would have brought in a small amount of cash," said Malwarebytes offering its take on things.

It added there are multiple ways of securely erasing disk data, from overwriting it with random data (single or multiple passes) to invoking the secure erase command in the firmware (where available), all the way to physically chopping up the disk and burning each piece.

Malwarebytes also said individuals should be sure to request their data be erased from public records.

• Man who binned 7,500 Bitcoin drive now wants to buy entire landfill to dig it up
• Your computer's not working? Sure, I can fix that problem – which I caused
• AI boom is boosting demand even for HDDs, raising prices by up to 20% since Q3
• San Francisco's light rail to upgrade from floppy disks

"In the Dutch case, it's remarkable and painful that such a company would have this type of information stored on their drives," it said. 

"First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the data should have been encrypted, and of course, the hard drives should have been decommissioned responsibly."

But even the most vigilant to their personal data protection would be unlikely to request the data be erased since it's often used to deliver healthcare services without undue friction. ®