Hard drives containing sensitive medical data found in flea market

Somebody bought a batch of 15 GB hard drives from a flea market, and during a routine check of the contents they found medical data about hundreds of patients.

After some more investigation in the Netherlands, it turned out the data came from a software provider in the medical industry which had gone bankrupt.

Under Dutch law, storage media with medical data must be professionally erased with certification. The normal procedure is to have them destroyed by a professional company, but that costs money and by selling the hard drives off the company would have brought in a small amount of cash.

This incident reminded me of two important security measures that we sometimes overlook.

The first is obvious. Computers are very bad at “forgetting” things. When you delete a file, the system doesn’t actually remove the file from your hard drive. Only the location of the file is set to “unused” so it may be overwritten at some point, but it often can be recovered. So you need to be careful how you decommission your old hard drives or any devices that have data on them.

One method is to overwrite the present data with zeroes or random numbers. There are several levels of overwriting hard drives:

• Single-pass overwrite: Writing zeros or random data once across the entire disk is often sufficient for traditional hard drives.
• Multi-pass overwriting: More secure methods involve multiple passes (e.g., 3-pass or 7-pass), which can further reduce the chance of data recovery.
• NIST 800-88 method: A recognized standard that includes overwriting with random data followed by zeros and verification. This is the type of method we would like to see when it comes to sensitive data like medical information.

Some modern drives come with a secure erase command embedded in the firmware, but you need special software to execute the command, and it may require several rounds of overwrite.

Users that have a Windows computer with UEFI can use the secure erase option in their computer’s BIOS or UEFI settings. The exact steps depend on your computer’s manufacturer and model. Unless you’re afraid of law enforcement or a very skilled attacker that should be enough. For computers pre-dating UEFI you will need specialized software. To find out whether your computer has UEFI:

• Right-click the Start button
• Select Run
• Type msinfo32 and press OK
• Click System Summary
• Scroll down to the BIOS Mode value to check whether it says UEFI

Non-SSD drives can be degaussed, a method which uses a strong magnetic field to disrupt the magnetic storage on traditional hard drives. However, it is ineffective for SSDs and flash storage.

Which leaves physical destruction as the last option. The usual method to do this, called shredding, involves cutting up hard drives into small pieces and then burning them in an incinerator or shredding machine to destroy their magnetic properties.

The second security measure that is important is to have your data removed from publicly available records. In the Dutch case it’s remarkable and painful that such a company would have this type of information stored on their drives. First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the date should have been encrypted, and of course the hard drives should have been decommissioned responsibly.

Depending on the type of information and the origin it seems unlikely that someone would consider to ask for removal of the data. After all, often it’s important that medical information is shared among care providers.

On the other hand, there is a ton of information about everyone in publicly accessible places that we can keep under control by using data removal services. Using a data removal service increases online anonymity, which makes it harder for stalkers, phishers, other attackers, or advertisers to find personal details.