DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Demonstration: wiping hard drives is not sufficient to secure PHI

Posted on July 13, 2011 by Dissent

Watch this video. The hard drives belonged to Bayou City Medical Center and over 100,000 files with patient information were recovered containing names, Social Security Numbers, dates of birth, and much more… after the drive had reportedly been wiped and reformatted.

I do not know if this breach was ever in the media or reported to HHS.  Does any reader know?

 

Category: Health Data

Post navigation

← 140,000 children could be identity fraud victims
UK: Target practice? →

5 thoughts on “Demonstration: wiping hard drives is not sufficient to secure PHI”

  1. Anonymous says:
    July 13, 2011 at 10:53 am

    The video was a piece of self-serving tripe. Any idiot knows that hitting “delete” doesn’t destroy a file. Or at least they would if they thought for a minute about how you can recover a “deleted” file from the “trash” folder in seconds.

    But, clearly, the hospital did not follow recommended procedures for data destruction, as specified in the Federal breach notification law.

    1. Anonymous says:
      July 13, 2011 at 11:26 am

      This wasn’t just a “delete” situation or I wouldn’t have posted it – because I agree with you that most people do know by now that deleting files isn’t adequate. But if you listen/watch the segment again, they say that the drive had been *wiped and reformatted* by the hospital but was still recoverable. I thought that was worth posting.

      Either way, we agree that the data destruction was inadequate.

      1. Anonymous says:
        July 13, 2011 at 12:42 pm

        Well…”wiped” can mean pretty much anything when it comes to deleting data. It can mean that someone “deleted files from the ‘trash’ folder” (leading to the results in the video) or that information was written over (which would not lead to the results in the video, at least not to that extent). Based on the results we see above, I’ll bet that “wiped” in this case refers to the former.

        “Formatting” does *not* delete data. It creates a new file system for the rest of the computer’s disk drive. Any information that was on that computer prior to the formatting will remain intact for the most part. If you will, it’s like taking a file cabinet and rearranging the folders because that’s how the new secretary likes it: the secretary can now efficiently find stuff but the old data is still there.

        (The analogy breaks down because, in a newly formatted computer, finding the old files requires special software but you get the idea.)

        The only accepted method for truly eviscerating digital data is to write over it (free software exists and is available on the internet), encryption (which pretty much amounts to writing over it, if you decided to lose the key), and destroying the hard disk.

        Under HIPAA, the last option is the only option when it comes to retiring old computer equipment, as far as I know. On a practical level, rewrites and encryption should also be acceptable, but you can’t argue with total destruction when it comes to absolute data safety.

        1. Anonymous says:
          July 13, 2011 at 12:46 pm

          Thanks for that explanation.

          Personally, I use the sledgehammer approach on old drives. My only regret is that I didn’t know about printer/copier drives years ago when I got rid of one copier. In the future, they get the sledgehammer treatment, too.

        2. Anonymous says:
          July 13, 2011 at 1:01 pm

          Oops. Just watched the video again, and caught where they said that “wiping software is not enough…”

          That’s an interesting statement to make. I guess it’s a matter of which software you used to wipe the disk (not all are created the same), but the fundamental question is: how do they know data overwriting software was used in this case? Did they call up the Bayou Medical Center and get an affidavit?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.