Earlier this month, I received an email that many healthcare consumers now recognize all too well. It informed me that Sutter Health, a California-based healthcare provider with 24 hospitals and more than 200 clinics, had reached a $21.5 million settlement related to a privacy class action lawsuit. The notice explained that California residents who logged into Sutter Health's MyHealthOnline portal between June 10, 2015, and March 20, 2020 may receive up to $90.

None

I had used Sutter Health almost a decade ago while staying in San Jose, and the message was a reminder of how long personal data can persist in corporate systems.

For me, the notice was more than a financial footnote. It prompted a familiar concern in the data security world and brought to mind the HealthReach Community Health Centers incident in Maine, where sensitive patient data was exposed due to improperly disposed hard drives.

When most people think about data breaches, they imagine hackers, ransomware, or sophisticated cyberattacks. In reality, a substantial portion of breaches stem from something far more mundane and preventable: improper disposal of hard drives. This is commonly referred to as improper IT Asset Disposition, or ITAD, and it remains one of the most underestimated risks in data security.

Hard drives that are sent for recycling, resale, or scrapping often leave an organization's direct control. If those drives are not properly wiped or physically destroyed, the data stored on them remains recoverable. Formatting a drive or deleting files does not remove the underlying information. Specialized recovery tools, which are widely available, can reconstruct sensitive records with little effort. As a result, discarded hardware becomes a quiet but powerful attack surface.

The healthcare sector is particularly vulnerable because of the sheer volume and sensitivity of data it handles. The HealthReach case illustrates this clearly. In 2021, the organization notified more than 100,000 Maine residents that patient information may have been exposed after several hard drives were improperly disposed of by a third party. The data included names, Social Security numbers, dates of birth, financial and insurance details, lab results, and security credentials. No network intrusion occurred. The breach was driven entirely by negligence and weak disposal controls.

These incidents continue to happen for several reasons. Organizations often assume that contracting an electronics recycler automatically ensures data destruction. In reality, non certified vendors frequently fail to follow recognized standards such as NIST 800 88 or Department of Defense sanitization protocols. During transport and storage, drives may be lost, stolen, or resold intact. The risk increases further in regions with large informal ewaste sectors, where discarded devices are commonly resold rather than destroyed.

Another factor is misplaced confidence in surface level data removal. Formatting is not wiping, and wiping is not always destruction. Without verified sanitization methods or physical shredding, data can persist in accessible form. These failures often go unnoticed for years and are rarely reported as classic cyber incidents, making them a silent source of long term exposure.

Preventing these breaches requires discipline, not novel technology. Organizations should encrypt sensitive data, maintain accurate asset inventories, and apply strict end of life controls to all data bearing equipment, including copiers and medical devices. Most importantly, they must work only with certified ITAD providers that offer documented chains of custody and proof of destruction.

None

I have personally used DBAN for erasing traditional HDDs, as it securely overwrites magnetic disks using multiple data wiping passes, and BitRazer Drive Erasure for SSDs, which uses manufacturer supported sanitize and secure erase commands to ensure data is irrecoverable. Based on my experience, I highly recommend using these tools before scrapping or recycling any drives, as they provide a reliable and practical way to prevent sensitive data from being recovered after disposal.

Data security does not end when systems are decommissioned and improper hard drive disposal is not a minor operational oversight. It is a direct and recurring pathway to data breaches, regulatory scrutiny, and lasting loss of trust.

Footnote: The most reliable and my favorite way to prevent data recovery from hard disk drives is physical destruction. Drilling multiple holes through the drive platters or using certified industrial shredding renders the media permanently unreadable and eliminates the risk of forensic recovery.

-chalatmusafir (HD)