Industry - Data Breach
Executive Summary
A patient who received an X-ray at West Tallinn Central Hospital in Estonia was given a supposedly new USB drive to transfer their medical images, but discovered it also contained health data from several other patients. The hospital has not yet explained how patient data ended up on what was meant to be a blank drive and says it will investigate only after the patient files a formal complaint. The incident exposed sensitive health information of multiple individuals through what appears to b...
What Happened
A patient who purchased what was described as a new USB drive from West Tallinn Central Hospital in Estonia to store their X-ray images discovered the drive also contained personal and health data from several other patients. The hospital has stated it cannot investigate how patient data ended up on the supposedly blank drive until the affected patient files a formal complaint. The incident occurred in March 2026 when the patient was advised to use a USB drive to transfer medical images to a specialist.
Who Is Affected
Multiple patients of West Tallinn Central Hospital are affected, including the individual who purchased the USB drive and the several other patients whose personal and health data were stored on it. The exposed information includes medical imaging data and associated personal health records. The full scope of affected individuals remains unclear as the hospital has not yet conducted an investigation.
Why It Matters
This incident reveals a fundamental breakdown in basic data handling procedures at a healthcare facility, where sensitive health information was improperly stored on devices intended for sale to patients. The hospital's requirement that victims file formal complaints before investigating potential systemic data security failures raises concerns about institutional accountability and whether similar issues may have affected other patients. Healthcare data breaches involving physical media demonstrate vulnerabilities that exist beyond digital cyberattacks.
What You Should Do
If you received medical services at West Tallinn Central Hospital and were given a USB drive, immediately check it for any data beyond your own medical records and file a formal complaint with the hospital if you find others' information. Contact the Estonian Data Protection Inspectorate to report the incident independently of the hospital's internal process. Monitor your medical records for any unauthorized access and consider requesting documentation of all individuals who have accessed your health information at the facility.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.