"Horror discovered: 15GB of Dutch medical records unearthed on 5 euro hard drives bought from a flea market, potentially leading to a catastrophic data breach, according to experts"
In a shocking turn of events, a Dutch IT company, Nortade ICT Solutions, has come under scrutiny for poor data protection practices. The company, which no longer exists and developed software for the healthcare sector, allowed sensitive medical data to be sold at a Belgian flea market.
The data, including Dutch citizen service numbers (BSN), dates of birth, addresses, prescriptions, and other medical information, is linked to individuals from the Utrecht, Delft, and Houten regions. The first report of the incident was made by 62-year-old Robert Polet from Breda, who purchased the hard drives and found them to be full of medical data from the period between 2011 and 2019.
After contacting the affected healthcare organization, Polet was informed that the data originated from Nortade ICT Solutions. The hard drives containing the data were found for sale at a flea market in Belgium for roughly €5 each.
Victoria Hordern, a data protection specialist at Taylor Wessing, states that the healthcare organization that contracted Nortade ICT Solutions could be subject to investigation. Rick Goud, CIO and co-founder at email security and file transfer platform Zivver, describes the incident as a business's "worst nightmare" and notes he was not surprised by the incident.
Goud believes the data leak via improperly handled hardware indicates a period where data protection was not a priority for some organizations working with healthcare data. However, he attributes the improvement in attitudes around data protection to higher risk awareness driven by legislation and standards like ISO 27001 and NEN 7510.
ISO 27001 and NEN 7510 are international and Dutch standards, respectively, for information security management systems (ISMS) and information security in healthcare organizations. They require organizations to systematically manage sensitive data by applying risk management processes, implementing controls to reduce information security risks, and continuously monitoring and improving the system.
Goud mentions that regulations like ISO 27001 and NEN 7510 have been around for some time but only became legally enforceable on healthcare organizations roughly four years ago. He estimates that only 2-3% of suppliers and healthcare organizations had the type of certification required by these standards in 2011 to 2019. Today, he states that it's closer to 70 or 80% in the Netherlands that have this type of certification.
Goud warns that some businesses may run into security weaknesses when they have handed off the problem to a third party. He feels there has been a 'mindset shift' in data protection since then, with a significant change in practices. However, the specific details of the lapse and implemented measures at Nortade ICT Solutions are not found in the search results, making it unclear whether the company complied with these standards after they became legally binding.
The search results do not contain any specific information regarding a data protection lapse at Nortade ICT Solutions or details on how it occurred. Further direct inquiry with Nortade ICT Solutions or accessing their official communications or audit reports would be required to provide a detailed, accurate answer.
Despite the lack of specific information, the case serves as a stark reminder of the importance of data protection, particularly in the healthcare sector. Organizations must ensure they are following best practices to protect sensitive information, whether they manage it themselves or outsource it to a third party.
- The case of Nortade ICT Solutions highlights the necessity for third-party vendors in the healthcare sector, particularly those handling sensitive data, to obtain cybersecurity certification like ISO 27001, as it may have prevented the data leak that occurred between 2011 and 2019.
- Given the staggering number of vulnerable individuals from the Utrecht, Delft, and Houten regions whose sensitive medical data was sold at a Belgian flea market, it is imperative for organizations to prioritize cybersecurity technology and compliance with data protection standards like NEN 7510 to mitigate future instances of data breaches.
