Digital Health: Further e-health cards exchanged due to security flaw

As a result of the transition of encryption from RSA to Elliptic Curve Cryptography (ECC), numerous components such as electronic professional health cards must be exchanged. After an extension of the deadline, this must happen by the end of June 2026 at the latest. However, some doctors who already have ECC cards face another exchange: "Cards with the affected Infineon chip that use the ECC procedure may only be used for qualified electronic signatures until June 30, 2026, at the latest," according to information from D-Trust. The responsible parties do not say how many are affected.

Gematik writes about this: "The vulnerability exclusively affects the ECC encryption algorithm of a card product from a specific manufacturer and has now been resolved. All affected cards are therefore already ECC-enabled. As part of the transition from RSA to ECC, cards were delivered to customers that are not affected by the vulnerability."

The measures are being taken in close coordination between the BSI, the Federal Network Agency, and Gematik. For regulatory and technical reasons, all affected eHBAs will be successively blocked by the specified date.

eHBAs of generation 2.1 from providers SHC+Care and D-Trust, based on cards from manufacturer Idemia with Infineon chips, are affected. A vulnerability in the ECDSA implementation of Infineon crypto libraries became known for these chips in September 2024 (EUCLEAK). Gematik subsequently revoked the approval of the affected cards in January 2025 through an administrative act.

While D-Trust was able to switch to cards from manufacturer Giesecke+Devrient at short notice after the approval was revoked, SHC+Care legally challenged Gematik's decision. The company sued against the withdrawal of approval for the affected Idemia cards and won in the Schleswig Social Court. Later, the Schleswig-Holstein State Social Court confirmed the ruling (file reference: L 5 KR 38/25 B ER). The Social Court also found that the telematics infrastructure itself was not affected and there was no acute danger.

Even with the affected cards, valid qualified electronic signatures could still be generated. For the successful side-channel attack EUCLEAK, physical access to the card, knowledge of the individual PIN, as well as special equipment and expert knowledge would have been required.

How affected individuals can identify their card

According to D-Trust, affected cards can be easily identified: the inscription "Idemia" is printed on the back. Cards with the inscription "G&D" are from manufacturer Giesecke+Devrient and are not affected. D-Trust has been delivering these since February 2025. According to D-Trust, customers with affected cards will be informed directly by email and do not need to take any action themselves. According to heise online's knowledge, some doctors have already been informed by D-Trust.

"The exchange of the affected eHBAs started in January 2026. For this, all customers will be contacted personally and informed about the exchange options," D-Trust stated upon request. Affected individuals can "exchange their current eHBA free of charge for a replacement card with an identical validity period. Alternatively, a follow-up card with a new validity period of five years can also be ordered. For most professional groups, there is also a 20 percent discount on follow-up cards. Signature and seal cards from D-Trust, which were also affected by the vulnerability, were already exchanged by the end of 2025," according to D-Trust, who referred to its FAQ.

According to SHC, the exchange affects "only a limited portion of the eHBAs issued by us." The exchange started in 2025. "A significant portion of the affected cards has already been exchanged, and the remaining ones will be exchanged successively." The company wants to ensure that all cards are exchanged before the deadline. "The exchange is carried out in such a way that affected customers incur no financial disadvantages or disruptions to their practice operations," SHC told heise online.

(mack)