Hokkaido Hospital HDD Disposal Failure Risks Exposing Data of Up to 510,000 Patients

A data breach risk involving hard disk drives (HDDs) designated for physical destruction has come to light at two hospitals operated by the National Hospital Organization in Hokkaido. The incident, publicly disclosed on June 8, 2026, potentially exposed personal information of up to 510,000 patients due to improper handling by a contracted waste disposal company. This case underscores the critical importance of supply chain oversight in IT asset disposal processes.

📑Table of Contents

1. Incident Overview and Timeline
2. Scale of Impact and Contents of Personal Information
3. Contractor’s Processing Error and Root Causes
4. Hospital Response and Criminal Complaint
5. Disposal Risks and Best Practices Comparison
6. Frequently Asked Questions (FAQ)
7. Summary

---

Incident Overview and Timeline

On June 8, 2026, the National Hospital Organization Hokkaido Medical Center (Nishi-ku, Sapporo) and Hokkaido Cancer Center (Shiroishi-ku, Sapporo) announced a serious lapse in the disposal of old terminal equipment following an electronic medical records system upgrade. The centers had entrusted approximately 1,320 HDDs from decommissioned PCs to “Repro Work,” a waste processing company in Ishikari City, Hokkaido, with explicit instructions for physical crushing (destruction).

However, some of the entrusted HDDs were not properly crushed and instead appeared on online auctions, leading to external leakage. The issue was discovered around June 2025 when a winning bidder contacted the hospitals. The hospitals recovered the drives by purchasing them back from the bidder and confirmed they belonged to the facilities.

Source: Impress INTERNET Watch (https://internet.watch.impress.co.jp/docs/news/2115720.html) and ScanNetSecurity reporting (https://scan.netsecurity.ne.jp/article/2026/06/19/55534.html)

---

Scale of Impact and Contents of Personal Information

The potential scale of exposed personal information is substantial:

• Hokkaido Medical Center: 1.76 million records (actual 170,000 individuals)
• Hokkaido Cancer Center: 25,000 records (actual 8,800 individuals)
• Potential maximum impact: 510,000 individuals

The data includes names, addresses, medical consultation details, test results, and nursing records—highly sensitive patient privacy information. Of approximately 90 recovered HDDs, 33 were confirmed as hospital property. While no unauthorized use or secondary damage has been confirmed to date, prompt notification to affected patients and appropriate response measures are urgently required.

---

Contractor’s Processing Error and Root Causes

The core problem lies in the contractor’s operational processes. Repro Work’s workspace lacked sufficient separation between crushed and uncrushed HDDs, allowing items intended for recycling to be mixed and potentially passed to recycling vendors.

Both centers had previously commissioned similar crushing disposal to the same contractor during electronic medical records upgrade projects in March 2024 (Medical Center, ~750 units) and November 2024 (Cancer Center, ~570 units). The repeated occurrence across multiple batches highlights the vulnerability of “human-dependent” processes when physical destruction is outsourced. Even with physical destruction requirements, reliance on the contractor’s internal management controls proved insufficient.

---

Hospital Response and Criminal Complaint

Following discovery, both centers implemented the following rapid response measures:

• Recovery and content verification of the relevant HDDs
• Mailing of apologies and reports to patients whose addresses could be confirmed
• Establishment of a dedicated telephone inquiry line
• Filing a criminal complaint with the Hokkaido Prefectural Police on suspicion of violation of the Waste Management and Public Cleansing Act (dated June 8, 2026)

The centers also demanded operational improvements from the contractor and indicated plans to review internal disposal processes. No unauthorized use or secondary damage has been confirmed at this time.

---

Disposal Risks and Best Practices Comparison

This incident, where vulnerabilities persisted despite outsourcing physical destruction, prompts reflection on risk management for HDD disposal. Below is a comparison of common disposal methods:

Method	Security Level	Cost	Reliability	Recommended Scenarios
Physical Destruction (Crush/Puncture)	High	Medium	Contractor-dependent	High volumes of confidential data
Magnetic Destruction + Overwrite	High	High	Self-managed possible	Internal processing
Data Erasure Software	Medium	Low	Log verification possible	Reuse-oriented scenarios
Full Contractor Outsourcing (No Destruction)	Low	Low	Process opaque	Not recommended

Source: General information security guidelines and lessons from this incident

While physical destruction offers high security, contractor selection and auditing are key. Whenever possible, organizations should perform magnetic destruction combined with overwriting in-house or rigorously obtain and retain certificates of destruction.

---

Frequently Asked Questions (FAQ)

Q1: Why did HDDs slated for crushing end up on online auctions?

The contractor’s separation of crushed versus uncrushed HDDs was inadequate, allowing unprocessed items to mix with materials destined for recycling and potentially be sold to recyclers. Issues with workspace management protocols are suspected.

Q2: Has the leaked personal information actually been misused?

No unauthorized use or secondary damage has been confirmed to date. The hospitals have recovered the relevant HDDs and are proceeding with patient notifications and other response measures.

Q3: Do other hospitals and companies face similar risks?

Inadequate management of supply chain partners (waste disposal contractors) is a common industry challenge. The Information-technology Promotion Agency (IPA) has also highlighted supply chain attacks as a significant threat, making rigorous contractor selection and auditing essential.

Q4: What countermeasures should organizations take when disposing of HDDs?

1) Pre-audits and strict contractual terms during contractor selection, 2) Obtaining and preserving certificates of destruction, 3) Performing magnetic destruction plus data overwriting in-house where feasible, 4) Regular reviews and audits of disposal processes.

Q5: Is the Hokkaido Prefectural Government HDD leakage also related to this incident?

Reports indicate that HDD leakage involving the Hokkaido Prefectural Government, also handled by the same contractor, surfaced in parallel. The contractor’s widespread processing deficiencies appear to be the underlying cause. Similar issues have surfaced across multiple public institutions.

Q6: Has the National Hospital Organization announced recurrence prevention measures?

In addition to the criminal complaint, the organization has demanded operational improvements from the contractor and indicated internal process reviews. Detailed recurrence prevention measures will require waiting for future official announcements.

---

Related articles:

• 東急「車内コンセントでモバイルバッテリー充電しないで」 注意喚起を更新
• DNSとSNIが見えにくくなる時代に、外部通信をどう見るか
• 「脱WordPress」法人サイト担当者が抱える課題5つとSaaS型CMSという選択肢 – オウンドメディア戦略ラボ by はてな

Summary

This incident concretely demonstrates the risk that human error or management deficiencies in outsourced disposal—the “last line of defense”—can lead to personal information leakage. Even when entrusting physical destruction externally, close coordination with the contractor and verification processes are indispensable. A comprehensive review of security measures across the entire IT asset lifecycle is required for all organizations.

Source: Impress INTERNET Watch (https://internet.watch.impress.co.jp/docs/news/2115720.html), ScanNetSecurity (https://scan.netsecurity.ne.jp/article/2026/06/19/55534.html), and official announcements from the National Hospital Organization

Related new article:

• 4331 – This published update adds current operational context for 廃棄処理業者に破砕処分を委託したハードディスクが外部に流出 | ScanNetSecurity.