Data leak: Breda man buys harddrives filled with medical data from flea market

Robert Polet, a 62-year-old man from Breda, discovered a huge data leak on a bunch of hard drives he bought at a flea market. They contained the medical data, including BSN numbers and medicine prescriptions, of hundreds of people, mainly from Utrecht, Houten, and Delft, Polet told Omroep Brabant.

Polet fixes up computers as a hobby and is always on the lookout for parts. He came across these hard drives by pure coincidence. “A few weeks ago, I came back from Turnhout in Belgium. I was on my way home but stopped at Weelde airport because I really had to go to the toilet. There was a flea market next to the airport. I went to have a look and bought five hard drives of 500 gigabytes each for five euros each.”

When he checked the drives at home, they turned out to be full of medical data from the period 2011 to 2019. “That was quite a shock. I thought: how can something like this happen?” The data includes patients’ medical prescriptions, addresses, dates of birth, and BSN numbers. After the discovery, he went back to the flea market and bought the other ten hard drives the seller had. The seller couldn’t tell Polet where he got the items.

An email exchange between Polet and an affected healthcare organization in the province of Utrecht revealed that the data originates from the company Nortade ICT Solutions from Breda. The company implemented software for the healthcare sector but it no longer exists.

Hard drives with medical data must be officially erased, with a certificate issued afterward stating that the data had been destroyed, Stefan Kasbergen, director of ASK Mobile Archive and Data Destruction, told the broadcaster. “We have customers who really work hard on that. Such a certificate has no legal value. That is why we destroy on location so that the customer sees that it is happening,” he said.

“As a company, you can choose to have it properly destroyed and then you pay money for that, or you can sell [the hard drives] to a ‘refurbisher’ and then you get money from it,” Kasbergen said. “In terms of costs, you can imagine what is often chosen.” He suspects these hard drives came from a bankruptcy sale and ended up at a flea market that way.

Polet reported his discovery to the Dutch Data Protection Authority (AP). A spokesperson could not comment further to Omroep Brabant. “If a company or organization reports a leak, we may be able to say more about it,” they said.