Data leak in rehab clinics: Thousands of patients potentially affected

Contents

A massive data leak potentially affects hundreds of thousands of patients at ZAR rehab clinics across Germany. Among other things, highly sensitive medical reports were accessible. The affected rehab centers are under the umbrella of Nanz medico, which claims to be the largest provider of outpatient rehab services in Germany. This includes a total of 39 rehab clinics.

Depending on their location, the ZAR rehab centers offer treatment options for orthopaedics, neurology, cardiology, oncology and psychosomatics. An app called ZAR PAT is used for communication between patients and the rehab center, allowing patients to conveniently view daily and weekly schedules as part of their treatment. The Android version of the app alone has been downloaded over 100,000 times.

However, the convenience unintentionally came at a high price: one user of the app noticed that it was communicating with the internet in unencrypted form and retrieving his schedules from the server in plain text. The use of transport encryption (TLS) has been a standard and rudimentary security measure for apps for many years.

Hacking knowledge was not required to view the data; it was sufficient to take a look at the connections at any point during transmission, for example with the PCAPdroid analysis app directly on the smartphone. There was also no need to overcome security measures. Any third party could have easily viewed the unprotected plain text connections, for example the internet provider or other users in public networks.

Disclosure of particularly sensitive information

But that was just the beginning: when the URL of the server from which the app loaded the appointments was called up in a web browser, information about other paths on the server was automatically transmitted. Under these paths, personal data could be accessed without access control – via an unprotected plain text connection.

This included not only personal data such as first name, surname and date of birth, but also information about courses attended in the rehabilitation facilities and detailed medical reports that were recorded as part of the therapy, for example in the treatment of psychosomatic illnesses. These contain sensitive information about the patient's life circumstances and state of health, such as in this report: "Looking back on the individual psychotherapeutic sessions, looking back on her childhood was rather upsetting for her, she had successfully repressed many things that had now come up again".

The extent of the data leak is considerable: one of the locations alone apparently delivered data from over 80,000 patients. The data goes back many years. It is not yet clear over what period of time access was possible and who accessed the data.

Data leak documented in app

Our informant immediately reported the security problem to the German Federal Office for Information Security (BSI) and the rehab clinic directly involved, which was even documented in his medical records. Ironically, he was able to reproduce this live on the basis of the data leak: "Patient just called me and found a data breach based on the app: ZAR-PAT. He reported it directly to the BSI and only then informed me. I have already informed our IT department".

Our whistleblower also identified other security problems, but the greatest risk by far was posed by the extensive access to highly sensitive patent end data without access protection or transport encryption. In the wrong hands, the data could cause considerable harm to those affected.

The clinic apparently passed on the important information to its parent company Nanz medico GmbH & Co KG, which was then at least able to quickly prevent access to the data. Since then, the data has been delivered in transport-encrypted form and external access to the sensitive information is prevented with an error message.

Company expands security settings

heise online and c't asked Nanz medico for a statement on the massive data leak on January 22. The company responded: "As soon as we became aware of this, we immediately commissioned the IT service provider to carry out an audit and instructed them to close the gaps without delay. These were rectified yesterday afternoon, the gaps closed and the existing security settings expanded." There were no indications of data leaks or manipulation, and further questions on our part remained unanswered, such as the number of people affected or whether the responsible data protection authorities were informed.

According to the provisions of the GDPR, the data leak is likely to be a reportable incident. In accordance with Article 33 GDPR, data controllers must inform the competent supervisory authority of the incident within 72 hours. If it is concluded that there is a "high risk to the personal rights and freedoms of natural persons", all data subjects must also be informed (Art. 34 GDPR). If the controller does not comply with these requirements, there is a risk of severe fines.

"No indication of data outflows"

Nanz medico only partially responded to our second inquiry a week after the incident: "As the external security experts are currently carrying out all the necessary checks in accordance with the relevant legal and security standards, we ask for your understanding that this requires a conscientious and careful approach. There are still no indications of data leaks or manipulation." In any case, it is undisputed that the data has been accessed by third parties. This should also be immediately apparent from the server logs.

Our questions about which locations, how many patients and which data the company believes to be affected by the data leak remain unanswered. The responsible state data protection authorities do not appear to have been informed either, as our inquiries revealed.

HEISE INVESTIGATIV

Many of our nvestigative reports are only possible thanks to anonymous information from whistleblowers.

If you are aware of a grievance that the public should know about, you can send us information and material. Please consider using our anonymous and secure mailbox.

https://heise.de/investigativ

(mack)