Full Report
Märten Hallismaa reports: A person who underwent X-ray imaging at West Tallinn Central Hospital (LTKH) was sent home with a USB drive that also contained the personal and health data of other patients. ERR has received information about a person who went to West Tallinn Central Hospital to undergo an X-ray. Because the images needed... Source
Analysis Summary
# Incident Report: West Tallinn Central Hospital (LTKH) Data Leak via Removable Media
## Executive Summary
A patient at West Tallinn Central Hospital (LTKH) was inadvertently provided with a USB drive containing not only their own medical imaging but also the personal and health data of multiple other patients. The incident, characterized as a physical media misconfiguration or procedural failure, resulted in the unauthorized disclosure of protected health information (PHI) to a third party.
## Incident Details
- **Discovery Date:** March 2026 (Reported March 30, 2026)
- **Incident Date:** March 2026
- **Affected Organization:** West Tallinn Central Hospital (LTKH)
- **Sector:** Healthcare
- **Geography:** Estonia
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Physical proximity/Service request.
- **Details:** A patient requested their X-ray images for transfer to a specialist. Hospital staff sold a "new" USB drive to the patient and loaded the data onto it.
### Lateral Movement
- **N/A:** This was not a network-based attack; it was a localized data handling error.
### Data Exfiltration/Impact
- **Details:** Patient files were copied onto a USB drive that was then handed to a member of the public. The drive contained X-rays and sensitive health data belonging to other, unrelated patients.
### Detection & Response
- **Discovery:** The incident was discovered by the patient upon returning home and reviewing the drive contents.
- **Response actions:** The incident was reported to ERR News. The hospital indicated an investigation would be launched following a formal complaint.
## Attack Methodology
*Note: This incident appears to be an operational error rather than a malicious external attack.*
- **Initial Access:** Authorized physical access by staff to the imaging workstation.
- **Persistence:** N/A.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of a legitimate, hospital-sanctioned storage device.
- **Credential Access:** N/A.
- **Discovery:** Access to local file directories or imaging archives.
- **Lateral Movement:** N/A.
- **Collection:** Improper selection of data or failure to format/sanitize a previously used drive.
- **Exfiltration:** Physical removal of the USB drive from the facility by the patient.
- **Impact:** Breach of confidentiality and violation of data protection regulations (GDPR).
## Impact Assessment
- **Financial:** Potential regulatory fines from Estonian data protection authorities.
- **Data Breach:** Personally Identifiable Information (PII) and Protected Health Information (PHI) of multiple patients.
- **Operational:** Minimal disruption to hospital services; primary impact is administrative/legal.
- **Reputational:** High; public reporting by ERR News highlights failures in basic data hygiene.
## Indicators of Compromise
- **Network indicators:** None.
- **File indicators:** Inclusion of non-matching Patient IDs on a single removable volume.
- **Behavioral indicators:** Deviation from standard media sanitization protocols.
## Response Actions
- **Containment measures:** Retrieval of the USB drive (pending).
- **Eradication steps:** Investigation of the imaging workstation and the batch of USB drives provided to patients.
- **Recovery actions:** Potential notification to the Data Protection Inspectorate (Andmekaitse Inspektsioon) and affected patients.
## Lessons Learned
- **Key takeaways:** "New" hardware sourced internally must be verified as sterile or formatted immediately prior to loading sensitive data.
- **Process Failure:** The reliance on patients purchasing USB drives from the hospital creates a shadow-IT risk if the drives are not managed by a centralized, secure IT protocol.
## Recommendations
- **Technical Control:** Implement a policy that automatically wipes any removable media connected to clinical workstations before data transfer.
- **Secure Transfer:** Transition away from physical USB drives in favor of secure, encrypted cloud-based patient portals or peer-to-peer specialist transfers.
- **Asset Management:** Ensure all "new" retail items (USB drives) are stored securely and never used for intermediary tasks before being sold to patients.