"Discovering a chilling revelation: A collection of €5 hard drives obtained from a flea market contained 15GB of sensitive Dutch medical data, potentially leading to a catastrophic data breach, as per concerned experts"
In the heart of the Netherlands, a data breach involving sensitive medical information shook the nation. The culprit was an IT company, Nortade ICT Solutions, which had been entrusted with handling such delicate data. The data, originating from the Utrecht, Delft, and Houten regions, was found for sale at a Belgian flea market, raising serious concerns about the security measures in place at the company.
The data included Dutch citizen service numbers (BSN), dates of birth, addresses, prescriptions, and other medical information, potentially affecting countless individuals. The hard drives containing the data were sold for roughly €5 each, underscoring the importance of secure storage device management.
At the time, only 2-3% of suppliers and healthcare organizations had the type of certification required by ISO 27001 and NEN 7510, standards that set out procedures and best practices for data protection and deprecating old storage devices. However, nowadays, it's estimated that it's closer to 70 or 80% of suppliers and healthcare organizations in the Netherlands that have these certifications.
Rick Goud, CIO and co-founder at email security and file transfer platform Zivver, described the incident as a business' 'worst nightmare'. He felt the data leak via improperly handled hardware was indicative of a period where data protection was not front of mind for some organizations working with healthcare data. Goud attributed the improvement in data protection to higher risk awareness driven by legislation and standards such as ISO 27001 and NEN 7510, which have been around for some time but only became legally enforceable on healthcare organizations roughly four years ago.
Healthcare organizations that engage third-party providers are required to carry out appropriate due diligence to ensure data security. Failure to do this could result in investigation and enforcement action from the data protection authority. Victoria Hordern, a data protection specialist at Taylor Wessing, stated that both Nortade ICT Solutions and the healthcare organization that contracted it could be subject to investigation.
Goud noted that there has been a 'mindset shift' in data protection since then, with a significant change in practices. Best practices for data protection and secure storage device management usually include encryption of sensitive data at rest and in transit, strong access controls and authentication mechanisms, regular security training for employees, incident response plans for potential breaches, use of secure disposal methods for storage devices no longer in use, and compliance with sector-specific standards such as ISO/IEC 27001 for information security management and regulations like GDPR’s requirements on personal data protection.
The data breach at Nortade ICT Solutions served as a stark reminder of the importance of data protection and the potential consequences of negligence. The discovery of the data leak was made by 62-year-old Robert Polet from Breda, highlighting the role that vigilant citizens can play in uncovering such incidents. As the healthcare sector continues to digitalise, ensuring the security of sensitive data will remain a top priority.
- The data breach at Nortade ICT Solutions, a company that had been entrusted with handling sensitive medical data, underscores the importance of cybersecurity certification in the technology sector, particularly in the handling of healthcare data.
- To prevent incidents like the one at Nortade ICT Solutions, best practices for cybersecurity should include encryption of sensitive data, strong access controls, regular security training, incident response plans, secure disposal methods for storage devices, and compliance with standards such as ISO/IEC 27001 and regulations like GDPR.
