39C3: Still ePA experiments on living citizens
ePA launched despite known security flaws; risks intransparent. Identity problems persist, experts warn. System not sufficiently secured for 2025.
(Image: Anna Gundler / heise medien)
At the 39th Chaos Communication Congress, IT security expert Bianca Kastl once again heavily criticized the electronic patient record (elektronische Patientenakte, ePA) for everyone. Despite assurances to the contrary from politicians and Gematik, the system was not sufficiently secured for the nationwide launch in 2025. The CCC subsequently called for an "end to ePA experiments on living citizens." Kastl speaks of a "year zero of IT security" and warns again about the structural weaknesses that have been known for years.
At the center of her criticism are identity and authentication problems within the telematics infrastructure. The Chaos Computer Club has repeatedly shown that access to the ePA can be misused under certain conditions. For example, through error-prone replacement procedures, insufficiently protected access methods, or organizational weaknesses in the issuance of eGK, PINs, and health professional cards. Many of the countermeasures subsequently introduced – rate limits, additional check digits, or subsequent restrictions – are merely patchwork and do not change fundamental design problems. For example, identity and trust service providers, such as D‑Trust, experienced dispatch errors. Electronic health professional cards were incorrectly assigned and sent to other doctors.
Kastl is particularly critical of the discrepancy between official risk communication and the actual situation. While there is public talk of "end-to-end encryption" and "no access by health insurance companies," health insurance companies actually have all the data that could technically enable the simulation of cards and identities to access the ePA data. A response to a minor inquiry, for example, revealed that the Federal Ministry of Health has no knowledge of the contracts between the operators and the health insurance companies. At the same time, central documents such as an Architecture Decision Record and a data protection impact assessment are not published or only published to a limited extent – requests under the Freedom of Information Act have sometimes been rejected.
Videos by heise
In addition, there are recurring outages and instabilities in the telematics infrastructure. An officially stated availability of 96 percent mathematically means more than two weeks of downtime per year – with direct consequences for practices and patients. Security problems with practice software, card manufacturers, and trust service providers further exacerbate the situation.
Kastl also criticizes the political strategy: security warnings from external experts have been ignored for months, and responsibility is being shifted back and forth between the ministry, Gematik, and service providers. Ultimately, the insured themselves bear the risks – through possible data protection violations, manipulations, or system failures.
The central demand from the CCC environment therefore remains unchanged: an independent and reliable assessment of security risks, transparent communication to those affected, and an open development process throughout the entire lifecycle of the ePA. Trust. Kastl's conclusion: "Trust cannot be ordered" – especially not with the country's sensitive large-scale digital projects.
(mack)
