DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Demonstration: wiping hard drives is not sufficient to secure PHI

Posted on July 13, 2011 by Dissent

Watch this video. The hard drives belonged to Bayou City Medical Center and over 100,000 files with patient information were recovered containing names, Social Security Numbers, dates of birth, and much more… after the drive had reportedly been wiped and reformatted.

I do not know if this breach was ever in the media or reported to HHS.  Does any reader know?

 

No related posts.

Category: Health Data

Post navigation

← 140,000 children could be identity fraud victims
UK: Target practice? →

5 thoughts on “Demonstration: wiping hard drives is not sufficient to secure PHI”

  1. Anonymous says:
    July 13, 2011 at 10:53 am

    The video was a piece of self-serving tripe. Any idiot knows that hitting “delete” doesn’t destroy a file. Or at least they would if they thought for a minute about how you can recover a “deleted” file from the “trash” folder in seconds.

    But, clearly, the hospital did not follow recommended procedures for data destruction, as specified in the Federal breach notification law.

    1. Anonymous says:
      July 13, 2011 at 11:26 am

      This wasn’t just a “delete” situation or I wouldn’t have posted it – because I agree with you that most people do know by now that deleting files isn’t adequate. But if you listen/watch the segment again, they say that the drive had been *wiped and reformatted* by the hospital but was still recoverable. I thought that was worth posting.

      Either way, we agree that the data destruction was inadequate.

      1. Anonymous says:
        July 13, 2011 at 12:42 pm

        Well…”wiped” can mean pretty much anything when it comes to deleting data. It can mean that someone “deleted files from the ‘trash’ folder” (leading to the results in the video) or that information was written over (which would not lead to the results in the video, at least not to that extent). Based on the results we see above, I’ll bet that “wiped” in this case refers to the former.

        “Formatting” does *not* delete data. It creates a new file system for the rest of the computer’s disk drive. Any information that was on that computer prior to the formatting will remain intact for the most part. If you will, it’s like taking a file cabinet and rearranging the folders because that’s how the new secretary likes it: the secretary can now efficiently find stuff but the old data is still there.

        (The analogy breaks down because, in a newly formatted computer, finding the old files requires special software but you get the idea.)

        The only accepted method for truly eviscerating digital data is to write over it (free software exists and is available on the internet), encryption (which pretty much amounts to writing over it, if you decided to lose the key), and destroying the hard disk.

        Under HIPAA, the last option is the only option when it comes to retiring old computer equipment, as far as I know. On a practical level, rewrites and encryption should also be acceptable, but you can’t argue with total destruction when it comes to absolute data safety.

        1. Anonymous says:
          July 13, 2011 at 12:46 pm

          Thanks for that explanation.

          Personally, I use the sledgehammer approach on old drives. My only regret is that I didn’t know about printer/copier drives years ago when I got rid of one copier. In the future, they get the sledgehammer treatment, too.

        2. Anonymous says:
          July 13, 2011 at 1:01 pm

          Oops. Just watched the video again, and caught where they said that “wiping software is not enough…”

          That’s an interesting statement to make. I guess it’s a matter of which software you used to wipe the disk (not all are created the same), but the fundamental question is: how do they know data overwriting software was used in this case? Did they call up the Bayou Medical Center and get an affidavit?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Chinese hackers suspected in breach of powerful DC law firm
  • Qilin Emerged as The Most Active Group, Exploiting Unpatched Fortinet Vulnerabilities
  • CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.
  • Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed; UK customers also affected (1)
  • Infosys McCamish Systems Enters Consent Order with Vermont DFR Over Cyber Incident
  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.