A random bathroom stop at an abandoned Dutch airport led a tech enthusiast to purchase five used hard drives for five euros each. Instead of blank storage, they found unencrypted, highly sensitive medical records—including citizen identification numbers, prescriptions, and scans. When the buyer returned for the rest, bringing the total to nearly fifty drives, local police and the data protection authority declined to investigate because selling un-sanitized hardware is not legally classified as theft. The case ultimately fell to Z-Cert, the Dutch national healthcare computer emergency response team, where digital forensics investigator Marina Bochenkova took over to trace the data's origin.

The initial analysis proved logistically messy. After copying nearly two terabytes of disorganized data from the physical drives, Bochenkova’s colleague attempted to map the contents using Autopsy. Finding this inefficient, Bochenkova switched to Velociraptor’s dead disk forensics mode. By feeding raw disk images into Velociraptor and generating remapping and write-back files, they treated the inert drives as simulated live endpoints. They focused purely on file system metadata to minimize exposure to the raw patient records. Querying MACB (Modified, Accessed, Created, Born) timestamps and USB connection artifacts, they successfully identified which files had been copied post-mortem—as copied files generate a new birth time while inheriting the original modified time.

A master list found on drive 48 revealed 143 compromised healthcare organizations. Moving beyond the disks, Bochenkova reconstructed the corporate footprint of Nortada, the defunct IT provider responsible for the data. Through municipal death records and corporate registry databases, they discovered Nortada's owner had died in July 2022. The company’s assets, including the hard drives, were left in the hands of a liquidating notary. When Bochenkova contacted the notary, they received no reply; instead, the notary quietly altered and closed the associated nonprofit's corporate registration a week later.

Tracking down a former Nortada employee through the Dutch national fencing circuit confirmed the provider's history of severe financial instability, including months of unpaid wages. This insolvency likely motivated the liquidators to sell off physical assets without prioritizing data destruction. While regulatory loopholes protect the notary from immediate criminal charges, Z-Cert is currently notifying the 143 exposed organizations. Bochenkova's investigation proves that legacy asset retirement remains a massive, unmonitored supply chain vulnerability for the healthcare sector.

• Discarding un-sanitized storage hardware from insolvent companies creates massive data exposure risks, often because liquidators prioritize physical asset recovery over secure deletion.
• Selling hardware containing sensitive personal information is not universally classified as a criminal offense, creating jurisdictional blind spots that deter traditional law enforcement.
• Investigators can use Velociraptor’s dead disk forensics mode to ingest raw disk images with remapping files, allowing them to query inert drives as if they were live endpoints.
• Analyzing MACB timestamps allows forensic analysts to detect unauthorized file duplication, as copied files generate a new creation time while inheriting their original modified time.
• Third-party healthcare IT providers often consolidate and retain client databases long after active service ends, requiring active supply chain oversight to ensure proper data sanitization.