Home / Critical Brief / No. 065

Assumed Shredded, Sold Online

180,000+ Patients' Drives Slipped Through (NHO Hokkaido Hospitals)

Pillar 04 · Regulatory Attribute Proof Attribute Proof Bypass Data Provenance
Incident date
2026-06-08
Published
2026-06-17
Authors
Lemma Critical Team
Related Pack
Pack AIncident Response

TL;DR

Hand old hard drives to a disposal vendor “on the assumption they’ll be shredded” — many organizations do it routinely. But if no one independently confirms the shredding, drives still full of data can end up on the secondhand market. In June 2026, the National Hospital Organization’s (NHO) Hokkaido Medical Center and Hokkaido Cancer Center disclosed that HDDs containing electronic medical records had circulated externally. In March 2024 they had entrusted destruction of roughly 750 drives to a waste-disposal vendor in Ishikari (Reprowork), which appears to have let drives go without confirming they were shredded (the vendor explained that pre- and post-shredding drives were kept in same-shaped containers and the work area was poorly separated). It came to light when someone who won an HDD at online auction in June 2025 reported that it held the hospital’s data. The 33 drives recovered (31 from the Medical Center, 2 from the Cancer Center) held personal data — names, addresses, medical conditions — of at least 186,900 patients and staff (potentially up to 510,000). NHO filed a criminal complaint with Hokkaido Police for suspected violation of the Waste Management Act; no misuse has been confirmed. We analyze this through Pillar 04 (Regulatory Attribute Proof) as a structure in which the “destroyed (disposal complete)” attribute of sensitive media is never fixed as an independently verifiable trail — the entruster had no way to independently verify the claim that the drives were shredded and could only trust the claimant. This Brief does not censure any party. Sibling of Brief 035; connects to 013, 006, and 021.

Incident overview

  • Subject: NHO Hokkaido Medical Center and Hokkaido Cancer Center (Sapporo). An incident over the disposal of HDDs that had stored electronic medical records and the like.
  • Entrustment: In March 2024, alongside an electronic-medical-record system upgrade at the two hospitals, NHO entrusted destruction and disposal of roughly 750 HDDs containing personal data to “Reprowork,” a waste-disposal vendor in Ishikari.
  • What happened: The vendor appears to have let the drives go without confirming they had been shredded. It explained to NHO that “pre- and post-shredding HDDs were managed in same-shaped containers, and the separation of the work area was insufficient.” As a result, drives full of data circulated externally (online auctions, etc.).
  • How it came to light: In June 2025, a member of the public who had won an HDD at online auction noticed it contained Hokkaido Medical Center’s data and reported it.
  • Scale: 33 HDDs were recovered (31 from the Medical Center, 2 from the Cancer Center). The personal data — names, addresses, medical conditions — covered at least 186,900 patients and staff collected up to 2024, with potential impact up to 510,000. During recovery, a separate leak of Hokkaido prefectural government HDDs also came to light.
  • Response: On June 8, 2026, NHO filed a criminal complaint against the vendor with Hokkaido Police for suspected violation of the Waste Management Act. No misuse of the data has been confirmed.
  • The core: Having entrusted disposal, and that the drives were contractually due to be destroyed, does not mean it was independently verified that they were actually shredded. The destruction attribute depended on the vendor’s self-report and a presumption, and — never independently confirmed from outside — the data-laden drives converted into a circulation surface.

Timeline

  • 2024-03: Alongside an electronic-medical-record upgrade at the two hospitals, NHO entrusts destruction/disposal of roughly 750 HDDs containing personal data to the Ishikari waste-disposal vendor “Reprowork.” The personal data was collected up to 2024.
  • 2025-06: A member of the public who won an HDD at online auction reports that it appears to hold Hokkaido Medical Center’s data — the trigger for discovery.
  • 2026-06-08: NHO discloses the incident, identifying 33 recovered drives and at least 186,900 affected people (up to 510,000), and files a criminal complaint against the vendor with Hokkaido Police for suspected Waste Management Act violation. No misuse confirmed.

Note: The affected counts (≈186,900 / up to 510,000), the number of drives (33), the vendor (Reprowork), the sequence, and the criminal complaint are based on NHO’s disclosure and reporting (HTB, Hokkaido Shimbun, UHB, Yomiuri, Kyodo; in English, DataBreaches.Net / The Star / Japan Today / Xinhua). This Brief does not aim to assign degrees of fault; it addresses the absence of independent verification of destruction.

The chain: an “assumed destroyed” premise converts, unverified, into circulation

This incident stems from the destruction attribute of sensitive media not being fixed as an independently verifiable trail at the moment of disposal. The path is as follows.

  1. Entrusting disposal: The hospital entrusts destruction/disposal of the HDDs to a vendor. They are handed over as items contractually due to be destroyed.
  2. Destruction as a premise: The premise “we entrusted it, so it was destroyed” is set. Whether it was actually shredded depends on the vendor’s work and self-report; the entruster has no mechanism to verify it independently.
  3. Chained handoffs: The vendor lets the drives go without confirming shredding (pre- and post-shred media mixed in the same containers, with insufficient separation, by its own account). At each link of the chain, no independent “destroyed” trail is carried forward.
  4. Conversion into a circulation surface: Drives full of data circulate on the secondhand market (online auctions, etc.). The media were not destroyed, and the stored electronic medical records and the like went outside in a readable state.
  5. After-the-fact discovery: A buyer’s report brings it to light, and recovery, the criminal complaint, and scoping of the impact proceed. This is an after-the-fact chain that acts once the media have circulated.

Structural analysis

This incident belongs to the attribute-proof-bypass category of Pillar 04 (Regulatory Attribute Proof). The central failure primitive is that the “destroyed (disposal complete)” attribute of sensitive media is not fixed as an independently verifiable trail at the moment of disposal, and depends on the vendor’s work and self-report. We note data-provenance (the provenance of the media and data through the disposal chain) as a secondary category. The existence of a disposal contract or a destruction certificate is not independent proof that the drives “were actually shredded.” Trust is placed not in the claim “we shredded it” but in the claimant, with no means to verify the claim independently. A paper destruction certificate is no substitute, since it can be issued even when nothing was shredded — the absence of “trust in the claim, not the claimant.”

This incident is the same shape as Brief 035 (on the Boeing 787, inspections were recorded as “complete” but had not been performed). Where 035 is “the existence of a record ≠ proof of performance,” this is “entrusting disposal / the premise of destruction ≠ the act of shredding” — two cross-sections of the same primitive. In both, the record or premise of a fact (an inspection performed / media destroyed) is mistaken for genuine independent verification of that fact. It connects to Brief 013 (regulation-mandated storage of raw personal data turned into a leak surface via an insider) in that highly sensitive personal data turns into a leak surface somewhere in its lifecycle without independent verification. It connects to Brief 006 (credential revocation not independently verified, valid even after deletion) through the primitive that “the end of the lifecycle (revocation / destruction) is not independently verified.” It is the same shape as Brief 021 (the existence of a balance-confirmation certificate mistaken for independent verification of the assets’ existence) in the gap between a certificate/premise and independent verification.

What this incident foregrounds is the layer of the end of the data lifecycle. Organizations focus on controlling collection, storage, and access, while independent verification of “it was destroyed” tends to be left to trust in the vendor and a paper certificate. When destruction is not independently verified, the sensitive information that was supposed to be protected converts into a circulation surface at the very end of the lifecycle — even when no one attacked it. This absence of end-of-lifecycle verification was exposed in the most sensitive data of all: medical information.

The gap between detection and proof

The buyer’s report, recovery, the criminal complaint, and scoping of the impact are indispensable for grasping and deterring the damage, and this Brief does not negate that role. Response after discovery and root-cause analysis are an important check on similar incidents.

At the same time, detection provides no material to independently establish — at the moment of disposal — whether the media just entrusted were actually destroyed. A disposal contract and a destruction certificate record the premise that destruction took place, but do not independently underwrite the act of shredding itself. Here, the absence of destruction was learned only after the data-laden drives surfaced on the market and a buyer reported it — and disclosure took about a year after that report. What was missing is a mechanism to fix, at the moment of disposal, an independently verifiable trail that “this medium was indeed destroyed,” and to carry it forward through each link of the disposal chain — a chain separate from after-the-fact discovery and the complaint. Once media have circulated, neither the absence of destruction nor the provenance of which medium leaked, when, and where can be fixed retroactively.

Pre-execution attestation flips the disposal of sensitive media from “trust the vendor” to “bind the fact of destruction to an independently verifiable trail at the moment of disposal.” Fix each medium’s destruction as a tamper-resistant trail (proof-of-destruction) tied to its time, place, and target, and make it verifiable at each handoff in the disposal chain (hospital → disposal vendor → recycler), and the circulation of a medium lacking a “destroyed” trail can be detected before the handoff. Detecting the absence of destruction (the detection-style “did it surface on the market”) and proving destruction (“can this medium be independently verified to have been destroyed”) are not substitutes but complements (for verifying provenance independently at the moment of the act, see “Proof-as-Auth: sign in without ever sending your key” (Lemma, 2026-05); for the detection-and-attestation thesis, see “The last layer left for cyber defense in the age of AI” (Lemma, 2026-05)).

  • NHO / the two hospitals: Disclosed the incident and scoped the impact (33 recovered drives, ≈186,900 people, up to 510,000). Filed a criminal complaint against the vendor with Hokkaido Police for suspected Waste Management Act violation. No misuse confirmed so far.
  • Separating “the claim” from “the claimant”: The essence is that the entruster had no means to independently verify the claim “we shredded it” — whether destruction actually happened came down to trusting the vendor (the claimant). What is needed is not trust in the claimant but a trail that verifies the claim itself.
  • The limits of paper certificates: Data-destruction certificates exist in practice, but this incident shows that “a certificate can be issued even when nothing was shredded.” A paper certificate does not independently underwrite the fact of shredding and does not withstand forgery or hollowing-out. What is needed is a destruction trail as an unforgeable cryptographic proof.
  • Insourcing the shredder is not the point: A move toward operating shredders in-house as a preventive measure is understandable, but hospitals should focus on their core work (care); taking on shredding operations is beside the point. With an unforgeable proof of destruction, the certainty of destruction can be guaranteed while keeping the work outsourced.
  • A whole-lifecycle issue: Medical data is highly sensitive with a long store→use→dispose lifecycle. This incident is at the “disposal” stage, but “no unauthorized access during storage” and “no tampering in transit” share the same structure, and demand for independently verifiable provenance at each stage is large.
  • Toward prevention as standard equipment: This time a buyer’s report enabled recovery, but there is no guarantee of recovery next time. The direction is to equip “a verifiable proof that destruction occurred” preventively as standard, rather than relying on after-the-fact response — consistent with regulation’s center of gravity shifting from “submitting records” to “independently verifiable proof.”

The absence of a layer that fixes the destruction of sensitive media as an independently verifiable trail at the moment of disposal is not a problem of a specific hospital or vendor; it remains a challenge common to every organization that holds sensitive information and outsources its disposal.

Lemma’s analysis

Against the gap this incident exposed (the destruction attribute of sensitive media is not independently verified at the moment of disposal), Lemma proposes a design that fixes the fact of disposal — the end of the lifecycle — as an independently verifiable cryptographic proof at the moment of the act.

  • Provenance binding of a destruction trail (proof-of-destruction): Bind each medium’s destruction, via a docHash, to its time and target, making “this medium was indeed destroyed” independently verifiable as an unforgeable cryptographic proof. Leave a trail tied to the fact of destruction itself — not a disposal contract or a paper certificate (issuable without shredding). This guarantees the certainty of destruction while keeping the work outsourced, without a hospital insourcing a shredder.
  • Chain-of-custody verification: At each handoff in the disposal chain (entruster → disposal vendor → recycler), make the presence of a destruction trail verifiable, and screen out the circulation of a medium lacking a “destroyed” trail before the handoff.
  • Pre-execution attestation of the attribute: Present the attribute “this medium has been destroyed” not as trust in the claimant but as an independently verifiable trail (verification of the claim itself), binding disposal completion to a verification condition.
  • Extension to the whole lifecycle: The same independent-verification design applies not only to disposal but to storage (no unauthorized access) and transit (no tampering). The more sensitive and long-retained the medical data, the greater the value of provenance proof at each stage.
  • Selective disclosure: Without exposing the contents of the stored data, disclose only the minimum — that “this medium met the destruction verification condition” — reconciling independent verification with privacy protection.

In this way, a proof fixed at the moment of disposal functions as an independently verifiable trail of whether “this sensitive medium was indeed destroyed,” without depending on after-the-fact discovery. Detection (after-the-fact reporting, recovery, the complaint) works on correcting the damage; attestation (independent verification of destruction at the moment of disposal) works on establishing trust at the end of the data lifecycle — each complementary to the other. For the design and its scope, see Pillar 04 — Regulatory Attribute Proof and the use-case index.

Sources

About Brief distribution

The Lemma Critical Brief is a threat-intelligence brief published by Lemma. This material is a structured analysis of public information; it is not an audit, diagnosis, or recommendation for any specific organization. If you use it as a reference for decision-making, please consult your Lemma Critical contact directly.

Discovery Call → Whitepaper → ✉️ Newsletter →

(c) 2026 FRAME00, INC. — Built for decisions that matter.

Related Briefs
See all 26 in Attribute Proof Bypass
No. 052 · 2026-06-12

70,000 Government IDs Leaked to Prove Age

Discord's Third-Party Verification Vendor Breach

Attribute Proof Bypass Data ProvenanceIdentity & Auth
Brief →
No. 050 · 2026-06-12

Generated Without Consent or Age Verification

The Provenance Gap Behind the Grok Deepfake Controversy

Attribute Proof Bypass Data ProvenanceAI Decision Integrity
Brief →
No. 040 · 2026-06-09

Phantom Carbon Credits

When an Environmental Attribute Is Issued Without Independent Verification of Its Underlying Data (Operation Greenwashing)

Attribute Proof Bypass Data Provenance
Brief →
No. 035 · 2026-06-08

The Inspections Were Recorded as 'Complete'

But Never Performed. On the Boeing 787, the Existence of a Record Was Mistaken for Proof of the Act

Attribute Proof Bypass Data ProvenanceIdentity & Auth
Brief →
No. 034 · 2026-06-08

Live Biometric Verification Defeated by an Injected Video Feed

KYC Believed It Had Captured a Live Person, But the Provenance of the Capture Was Never Verified

Attribute Proof Bypass AI Decision IntegrityIdentity & Auth
Brief →
No. 032 · 2026-06-08

Inside a Legitimate Booking Platform, the Payout Bank Account Was Silently Rewritten

The Change Was Not Independently Verified Before Funds Moved (Polaris Holdings / Booking.com)

Attribute Proof Bypass Data ProvenanceIdentity & Auth
Brief →

Lemma Critical Monthly

The structural analysis of real-world risk incidents (Critical Brief) at its core, plus insight on the proof needed beyond detection, once a month.

Subscribe to the newsletter
Citation

Cite this Brief

Lemma Critical Team. (2026).
"Assumed Shredded, Sold Online — 180,000+ Patients' Drives Slipped Through (NHO Hokkaido Hospitals)".
Lemma Critical Brief No.065. Lemma / FRAME00, Inc.
https://lemma.frame00.com/critical/briefs/065-hokkaido-hospital-hdd-disposal/