Lower Saxony: Data exfiltration at healthcare audit association
Following a cyberattack on a healthcare audit association, investigators confirm data exfiltration. The extent is still unclear.
(Image: janews / Shutterstock.com)
Following a cyberattack on the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen (Arwini e. V.), data has been exfiltrated from the audit office's system, according to the Hannover police directorate. Arwini processes health and billing data of statutory insured persons in Lower Saxony and audits the cost-effectiveness of medical prescriptions on behalf of statutory health insurance funds and the Kassenärztliche Vereinigung Niedersachsen (KVN). The ransomware group “Kairos” is behind the attack, as confirmed by the police to heise online.
The “Hannoversche Allgemeine Zeitung” (HAZ) initially reported on the incident.
Up to 75,000 data records affected
Arwini had stated that in the worst-case scenario, up to 75,000 data records could be affected. In response to an inquiry from heise online, the company's external data protection officer, Jürgen Recha, stated that it was still unclear whether and what data had been exfiltrated at all. Recha could not assess the authenticity of the sample posts on the leak site of the ransomware group “Kairos”. Arwini also made no statements regarding specific data storage and technical processing. AOK informed the HAZ that its own systems were not affected.
According to a spokesperson for the Kassenärztliche Vereinigung Niedersachsen (KVN), the KVN transmits pseudonymized data sets to the responsible audit office quarterly. Patient data is anonymized in this process. However, doctor-related data such as doctor numbers and practice numbers are included so that the audit office can attribute economic anomalies to individual practices. The identity of doctors and practices is therefore traceable. A review agreement from 2022 shows that, if necessary, further information, such as the insurance number, can also be requested.
Videos by heise
Status of Investigations
“Kairos” threatens to sell a 2.87 terabyte data set, which has been listed on the group's leak site since May 11. The scale is in striking contrast to the 75,000 potentially affected data records mentioned by Arwini – whether the attackers have actually obtained data of this magnitude has not yet been verified. Sample files are also visible on the leak site, mostly letters between health insurance companies and doctors. According to the police, the authorities are in international exchange regarding Kairos – including with Spanish investigators.
Meanwhile, a report of a data breach has also been received by the State Commissioner for Data Protection in Lower Saxony. It is currently being checked whether the report was made within the deadline. The authority also refers to information obligations towards those affected upon request. People whose data may be affected must be informed “immediately” if there is a likely high risk to their rights and freedoms – unless exceptions under Article 34 of the General Data Protection Regulation (GDPR) apply.
(mack)
