What caused the data exposure at West Tallinn Central Hospital?

The exposure occurred when a patient was provided a USB drive containing their X-ray images that also held the medical records and personal identification codes of other patients, likely due to improper media sanitization or a system export error.

What specific patient information was compromised in the breach?

The compromised data included patient names, personal identification codes, procedure dates, medical histories, and X-ray images dating back to 2019.

How long had the data been stored on the compromised media?

Evidence from the USB drive indicates that some files dated back to 2019, suggesting that the media or the source system retained legacy data for several years.

What is the official stance of the Estonian Data Protection Inspectorate (AKI)?

The AKI stated that the presence of patient data in the hands of an unauthorized third party is unacceptable and indicates a failure to meet personal data protection requirements.

What remediation steps are recommended for healthcare providers using physical media?

Providers should implement strict data sanitization protocols for all removable media, use encrypted transfer methods, and ideally transition to secure digital health portals to mitigate the risks of physical data disclosure.

Incident

West Tallinn Central Hospital Data Breach via USB Media

published: March 31, 2026

Learn More

West Tallinn Central Hospital (LTKH) in Estonia reports a data leak through the unauthorized disclosure of patient health information via physical media. The incident occurred when a patient, after undergoing X-ray imaging, received a USB drive from the hospital that contained not only their own records but also the medical data of multiple other individuals.

While the hospital claims to use fresh media, the patient discovered files dating back to 2019 when reviewing the drive at home. This suggests either the reuse of improperly sanitized storage devices or a systemic error in the imaging software that bundled multiple patient records into a single export session. The hospital has not yet identified the specific technical or human error responsible for the data mix-up. The compromised data includes:

Full names
Personal identification codes
Medical histories
Procedure dates and descriptions
X-ray images and anatomical details

The number of affected individuals is not disclosed. The Estonian Data Protection Inspectorate (AKI) characterized the event as a breach of personal data protection requirements.

Patients who receive medical data on physical media should verify the contents immediately and report any extraneous files to the provider and relevant data protection authorities.

West Tallinn Central Hospital Data Breach via USB Media

Read More
Sanford Health patients data at risk in data …
Healthcare provider Prairie Eye and LASIK Center hit …
Wayne Memorial Hospital ransomware attack exposes data of …
HMG Healthcare reports cyberattack, data breach
Massachusetts General Brigham hospital reports data breach