It’s been a while since DataBreaches posted a story about unerased drives with tons of sensitive information being purchased at a flea market or auction, but here we are again, and this time in the Netherlands. Connor Jones reports:
Robert Polet, a 62-year-old techie and apparent bargain hunter from Breda, a city in the southern part of the Netherlands, inadvertently happened upon a 15GB trove of sensitive medical records after picking up a quintet of 500GB hard drives for €5 ($5.21) each.
[…]
After hooking them up when he returned home, Polet found medical data on the HDDs, including the Dutch equivalent of Social Security Numbers, dates of birth, home addresses, medication details, and other GP and pharmacy data. The records were from 2011-2019 and pertain mainly to individuals around the Utrecht, Houten, and Delft regions.
Read more at The Register.
Now what will the Dutch data protection authority do given that the named company has gone out of business? Will they still hold parties accountable and make them take action or fine them? It will be interesting to see if there’s a follow-up to this story, but there may not be. This story was originally reported at Omroeprabant.nl. A machine translation of the last paragraph of that story reads:
Robert has approached a number of GPs, pharmacies and healthcare institutions to inform them about this leak. He has also contacted the Dutch Data Protection Authority (AP). A spokesperson for AP says that he cannot comment on Robert’s discovery and report. “If a company or organisation has reported a leak, we may be able to say more about it.”
So if there is no company or organization left with standing to report an incident, they may not be able to say anything? Or they may not be able to do anything? Or both?