Security gaps at rehabilitation clinic: data of 17,000 patients accessible

After a massive data leak at the ZAR rehabilitation clinics became public at the end of January, further customers of the responsible IT service provider MediTec Medizinische Datentechnologie GmbH are now affected. A total of 17,000 patients' data was accessible at Reha Vita GmbH, which is managed by MediTech. The Chaos Computer Club has now reported this.

According to the press release, the data affected included patient files including diagnoses, discharge reports and audio recordings from doctors' dictation machines, as well as bank details, health insurance data and patients' dates of birth. The patients also include players from FC Energie Cottbus. So far, neither Reha Vita nor MediTec have commented on the incident.

MediTec specializes in management software for medical practices and rehabilitation facilities and, according to its information, is used in around 180 facilities in German-speaking countries. Until the end of 2023, the company belonged to Curalie GmbH, which in turn was part of Fresenius Helios.

An IT security researcher "had come across a subdomain under the meditec-gmbh.com website" and reported it to the CCC. A subdomain scan showed, among other things, that one subdomain had forgotten to deactivate debug mode. When an incorrect URL was entered, it was therefore possible to obtain a list of other possible URLs. One of the listed endpoints was used for server-client communication (server-sent events) and listed valid session IDs of logged-in users without access protection. According to the CCC, this session ID could be used to construct a valid cookie and log in to the platform.

It was discovered that one of the customers was using Django version 1.11, which has been discontinued since April 2020. The Python version 2.7.18 installed on the server, which has also been expired for years, was also installed. It was found that at least five domains and subdomains had access to metadata for the installed software, and the server software had often not received any updates for years.

Outdated Linux kernel

The web server of one website was even still running on a system with Linux kernel 3.0 from October 2013 – other web servers were operated with newer, but also outdated kernel versions. Other rehab facilities were also affected.

In one installation, which appears to include most customers of MediTec Medizinische Datentechnologie GmbH, no security patches had been installed for almost five years. The operating systems as well as the Python standard library and the Python framework Django still appear to have been supported and provided with security patches.

"Thinking about data protection and data security from the outset"

The Chaos Computer Club (CCC) informed one of the affected customers, the IT service provider and two state data protection authorities. Although access to the patient data and customers, or metadata, has been closed, the company is still working with outdated software. According to the CCC, the case is frighteningly reminiscent of the "current vulnerabilities of electronic patient records", in which a "careless approach to trivial medical data protection requirements" provides deep insights. "Anyone who stores health data must think about data protection and data security from the outset and not just after the next incident", says Matthias Marx, spokesperson for the CCC.

(mack)