Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

On-Prem

Storage

Hundreds of Dutch medical records bought for pocket change at flea market

15GB of sensitive files traced back to former software biz

Connor Jones Wed 19 Feb 2025  //  13:01 UTC

Typically shoppers can expect to find tie-dye t-shirts, broken lamps and old disco records at flea markets, now it seems storage drives filled with huge volumes of sensitive data can be added to that list.

Robert Polet, a 62-year-old techie and apparent bargain hunter from Breda, a city in the southern part of the Netherlands, inadvertently happened upon a 15GB trove of sensitive medical records after picking up a quintet of 500GB hard drives for €5 ($5.21) each.

And where exactly was this cybercriminal goldmine? At a flea market next to Weelde airbase, obviously.

He told broadcaster Omroep Brabant, which first reported the story (translated from Dutch): "A few weeks ago, I came back from Turnhout in Belgium. I was on my way home but stopped at Weelde [airfield] because I really had to go to the toilet. There was a flea market next to the airbase. I went to have a look and bought five hard drives of 500GB each for €5 each..."

Polet is a lifelong computer nerd and has worked with them for 30 years. "It's my passion and my life," he told the paper. When he's not at his day job working as a driver for people with disabilities, he's tinkering with tech "often for free, sometimes for a pack of tobacco."

He's also a keen photographer, which is why he decided to scoop up the flea market HDDs at a low price – more storage for his snaps and drone footage. 

After hooking them up when he returned home, Polet found medical data on the HDDs, including the Dutch equivalent of Social Security Numbers, dates of birth, home addresses, medication details, and other GP and pharmacy data. The records were from 2011-2019 and pertain mainly to individuals around the Utrecht, Houten, and Delft regions.

"That was quite a shock," he said. "I thought 'How could something like this happen'? My sister or I could easily have been among them."

Polet drove back to the flea market after making his discovery and bought the remaining ten hard drives from the same individual. "Luckily they were still there," he said.

The natural question to ask next is how the data came to be at a flea market, and to what organization did it belong?

Polet only looked at a small portion of the files – he examined just two of the total 15 disks – but that was enough to deduce the affected healthcare organization was an unidentified one based in Utrecht.

It told Polet the data originated from Nortade ICT Solutions, which used to be based in Breda before going out of business. An associated website has lapsed, The Reg notes. It was an IT company developing software for, you guessed it, the healthcare sector.

Dutch law mandates that storage devices like HDDs that contain medical data must be erased by a professional, and the erasure must be certified.

"The normal procedure is to have them destroyed by a professional company, but that costs money, and by selling the hard drives off the company would have brought in a small amount of cash," said Malwarebytes offering its take on things.

It added there are multiple ways of securely erasing disk data, from overwriting it with random data (single or multiple passes) to invoking the secure erase command in the firmware (where available), all the way to physically chopping up the disk and burning each piece.

Malwarebytes also said individuals should be sure to request their data be erased from public records.

"In the Dutch case, it's remarkable and painful that such a company would have this type of information stored on their drives," it said. 

"First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the data should have been encrypted, and of course, the hard drives should have been decommissioned responsibly."

But even the most vigilant to their personal data protection would be unlikely to request the data be erased since it's often used to deliver healthcare services without undue friction. ®
Send us news
40 Comments

Rather than add a backdoor, Apple decides to kill iCloud encryption for UK peeps

Plus: SEC launches new crypto crime unit; Phishing toolkit upgraded; and more

UK watchdog investigates TikTok and Reddit over child data privacy concerns

ICO looking at what data is used to serve up recommendations

Harassment allegations against DEF CON veteran detailed in court filing

More than a dozen women came forward with accusations

Trump’s DoD CISO pick previously faced security clearance suspension

Hey, at least Katie Arrington brings a solid resume

Ransomware criminals love CISA's KEV list – and that's a bug, not a feature

1 in 3 entries are used to extort civilians, says new paper

Wallbleed vulnerability unearths secrets of China's Great Firewall 125 bytes at a time

Boffins poked around inside censorship engines – here's what they found

Signal will withdraw from Sweden if encryption-busting laws take effect

Experts warned the UK’s recent 'victory' over Apple would kickstart something of a domino effect

MITRE Caldera security suite scores perfect 10 for insecurity

Is a trivial remote-code execution hole in every version part of the training, or?

DIMM techies weren’t allowed to leave the building until proven to not be pilferers

Who knew a script could make RAM re-appear?

Critical flaws in Mongoose library expose MongoDB to data thieves, code execution

Bugs fixed, updating to the latest version is advisable

FreSSH bugs undiscovered for years threaten OpenSSH security

Exploit code now available for MitM and DoS attacks

The Doom-in-a-PDF dev is back – this time with Linux

What's next, Crysis-in-a-CSV?