E-patient file: CCC again finds gaps, Gematik reacts with "immediate measure"
The day after the launch of the ePA, Gematik has to report that it has closed another security gap with an "immediate measure".
(Image: SOMKID THONGDEE/Shutterstock.com)
Note: This article was originally published in German on April 30, 2025.
Despite additional security measures, the electronic patient file (ePA), which has been available to all people with statutory health insurance since Tuesday, still has vulnerabilities. On Wednesday, Gematik announced that it had closed another security gap with an "immediate measure".
The background to this are new findings by security experts from the Chaos Computer Club (CCC). Together with Christoph Saatjohann, Professor of IT Security at MĂĽnster University of Applied Sciences, Bianca Kastl and Martin Tschirsich had discovered that the address and insurance start date could be queried via the electronic replacement certificate. This is intended for patients who have forgotten their health card. This allowed them to bypass a security measure designed to prevent unauthorized access.
Data retrievable for hash value
To access a patient file, you need access to the telematics infrastructure, the patient's health insurance number and health card number as well as a hash value. This "hash check value" (HCV) is calculated from the insurance start date, street and house number of the insured person. The idea is that this data is only accessible via the chip on the health card. However, this is obviously not the case: The data is sent via the KIM service, among others.
According to a report in Der Spiegel, Saatjohann created a program with which this data could be retrieved from several health insurance companies, including Techniker Krankenkasse and Barmer. The interface for electronic replacement certificates is relatively new and has so far been optional, which is why many practice applications do not yet support it. Saatjohann expects this to change, which means that attackers could use ready-made software to reduce the effort involved.
"The large health insurance companies in particular have been offering the procedure [the electronic replacement certificate, editor's note] since last year. In view of the fact that the electronic replacement certificate will be mandatory for health insurance companies from July 2025, most health insurance companies have already implemented it." The procedure for the replacement certificates has been known since 2023, so attackers would have had enough lead time. Those affected whose address and insurance start date become known to third parties would only have to move or change health insurance provider. "That can't be the case," says Tschirsich.
Videos by heise
CCC speaks of patchwork
Gematik, which is responsible for the digitalization of the healthcare system and therefore also for the ePA, said it acted immediately after the allegations became known. "According to the CCC, it was possible to falsify the treatment context of an insured person using electronic replacement certificates from insurance cards. In combination with the insurance number, a coding key and an illegally obtained practice ID card (SMC-B) and a connection to the telematics infrastructure (TI), it would theoretically be possible to access individual patient files," Gematik states. It does not assume that insurance data has actually been leaked.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
In the Spiegel report, the security researchers describe the new central security mechanism as "demonstrably ineffective". Tschirsich is quoted as saying: "An additional padlock has been put on the door, but the key is still under the doormat." CCC spokesperson Linus Neumann criticized the chosen security approach to Der Spiegel as "patchwork" that "increases complexity without improving protection."
Federal Health Minister Karl Lauterbach explained in Gematik's statement: "In the early phase of the ePA launch, such attack scenarios were to be expected. I am grateful to Gematik for reacting immediately to the first indications and closing the security gap. The electronic patient file must remain very well protected. Mass attacks on patient data must be ruled out."
(mack)
