SYS::ONLINE
Wasteland.
Briefs839
Issues14
SinceFeb 2026
LIVE
▣ Breach HOKKAIDO-HOSPITALS 2026-06-09

Hokkaido Medical Center and Hokkaido Cancer Center: Improper Disk Disposal Data Leak

"Here is the complete intel brief."

Here is the complete intel brief.

title: "Hokkaido Medical Center and Hokkaido Cancer Center: Improper Disk Disposal Data Leak" date: 2026-06-09 slug: hokkaido-hospitals-data-leak

Hokkaido Medical Center and Hokkaido Cancer Center: Improper Disk Disposal Data Leak

Two Sapporo hospitals in Japan's National Hospital Organization network disclosed on Monday that data on roughly 186,000 people was confirmed present on hard disks sold online, with the total population of potentially affected patients and staff estimated at up to 510,000. The Hokkaido Medical Center and Hokkaido Cancer Center traced the exposure to a contracted waste disposal firm that appears to have passed decommissioned drives to a recycling company without destroying them. No unauthorized use or secondary damage has been reported so far.

What Happened

The two hospitals, both part of the National Hospital Organization that manages 140 facilities nationwide, contracted Reprowork Co., a waste disposal company in Ishikari, to dispose of retired hard disks. Rather than physically destroying the drives, the company may have passed them to a recycling firm intact, after which they entered the secondary market and were sold at online auction. Between last June and August, the organization received tips from two separate individuals who had purchased disks at auction and recognized data that appeared to belong to the medical centers. The hospitals recovered 90 similar hard disks, and on Monday the National Hospital Organization filed a criminal complaint with police against the disposal company.

What Was Taken

Of the 90 recovered disks, 33 contained sensitive personal information. The confirmed data covers around 186,000 individuals and includes patients' names, dates of birth, and medical conditions, alongside records tied to hospital staff. Because the hospitals cannot account for every disk that may have left their custody, the estimated exposure rises to as many as 510,000 people. Medical condition data combined with identity details represents some of the most sensitive category of personal information, carrying long-term risk for fraud, extortion, and discrimination even years after the original records were created.

Why It Matters

This incident is a textbook reminder that data does not stop being a liability when hardware reaches end of life. A breach here required no malware, no intrusion, and no sophisticated adversary, only a broken chain of custody in the disposal pipeline. For defenders, it underscores that third-party and downstream vendor failures can produce breaches as damaging as any external attack, and that healthcare data retains its value indefinitely. The reported window between the first tip last summer and Monday's disclosure also highlights how long improperly disposed media can circulate before an organization even learns it has a problem.

The Attack Technique

There was no cyber intrusion. The exposure stems from a physical media disposal failure: decommissioned hard disks that should have been destroyed were instead resold intact through a recycling and auction chain. The hospitals relied on a contractor to certify destruction but apparently received no verified proof that the drives were wiped or physically shredded. Anyone who purchased the disks could read their contents directly, since the data does not appear to have been encrypted at rest. This is a supply-chain and asset-disposal failure rather than a network compromise.

What Organizations Should Do

Sources: Data on 510,000 people linked to Hokkaido hospitals possibly leaked online - Japan Today