Electronic patient record: Data theft by hackers still possible

Berlin/Hanover. Shortly before the turn of the year 2024/25, the peaceful mood among those responsible for the electronic patient record (ePA) came to an abrupt end: Hackers from the Chaos Computer Club (CCC) demonstrated at the club's annual conference how the new digital system could be hacked – in such a way as to potentially grant access to millions of records. As a result, the introduction of the ePA was initially postponed, and around five percent of insured individuals initially objected to its use.

Continue reading after the ad

The electronic patient record (ePA) has now been officially introduced – and since October 1st, it has been mandatory for healthcare providers. Significant improvements have also been made to security measures in recent months: Gematik, the federal agency for digital medicine, has made several enhancements following reports from the Chaos Computer Club (CCC). Hacking the ePA is more difficult today, but it's not impossible.

The IT experts at the CCC criticize one detail in particular that still makes the newly introduced tool vulnerable. According to Gematik, a solution is in sight – but not until sometime next year at the earliest.

It's finally here: The electronic patient record is already in operation. But many patients are still unsure: How can you access the record? Who decides who can see what? And: How secure is the sensitive data?

Continue reading after the ad

To understand the problem, one must understand how the electronic patient record (ePA) works. Currently, anyone wanting to access a patient's record needs a practice ID card – and secondly, the patient's complete data. Specifically: the card number, the health insurance number, the address, and the insurance start date. Gematik has already addressed this: the previous combination of card number and health insurance number alone is no longer sufficient for access. Furthermore, following criticism from the Chaos Computer Club (CCC), the developers have limited the number of possible accesses.

A key to gaining access to the ePA: the electronic health card.

The hurdles for an attack have therefore become significantly higher, but not insurmountable. Data such as addresses could potentially be obtained through data leaks , other information through phishing. At the CCC's annual conference, IT specialists Bianca Kastl and Martin Tschirsich also demonstrated how they had obtained health insurance cards by making phone calls to health insurance companies – and even doctor's ID cards via a security vulnerability. In April, the hackers then demonstrated again how the electronic patient record (ePA) can be attacked via the so-called substitute certificate procedure. Gematik subsequently closed this security gap as well.

However, this is still not entirely satisfactory for hackers: The way the agency handles security vulnerabilities is "clearly improvable," Kastl told the RedaktionsNetzwerk Deutschland (RND). To effectively minimize the risk, the IT expert would like to see a very specific procedure implemented for the electronic patient record (ePA).

Illustration of a hand holding a smartphone, on which sits a file from which papers and an X-ray image are protruding, and which is locked with a thick padlock.

Every person with statutory health insurance can read and manage their electronic patient record on their smartphone. However, very few actually do so. Yet it's important, for example, to lock sensitive documents.

Continue reading after the ad

“Currently, the only thing required to access an electronic patient record (ePA) is a lot of information: card numbers, health insurance numbers, address, and the date the insurance coverage began,” explains Kastl. “The problem could be solved by only reading signed, authentic data from the health insurance card. This would allow for cryptographic verification beyond doubt that a card issued by a health insurance company is actually being read – a secure technology has therefore existed for some time, but has not yet been used for the ePA.”

According to Gematik, precisely such a procedure is now planned for next year, as the agency informed the RND. A "Proof of Patient Presence" (PoPP) procedure is planned. When asked about the CCC's proposal for a digital cryptographic signature, the agency stated: "Yes, such a procedure is planned with PoPP." However, it is still under development, so no details can be provided.

Technically, the process should work as follows: The patient inserts their health insurance card into the device at the doctor's office, just as before. However, instead of simply reading data from the card, a challenge-response process runs in the background. The PoPP service – part of the security system – generates a random number and sends it to the health insurance card. The card encrypts the number and sends the result back. Only if the random number has been correctly encrypted is the card genuine and physically present. The authorities did not initially specify a precise start date for 2026.

Better overview, but also technical risks: A general practitioner uploads documents into an ePA in his practice.

Until then, at least a residual risk remains. IT experts repeatedly point to the dangers that can arise from inadequate authentication measures within the electronic patient record (ePA). Kastl cites a case from Singapore: "In 2018, the health data of 1.5 million people were accessed there. The target was also the medication list of the Prime Minister." Data of this sensitivity makes such leaks "a risk for entire nations," because they enable attacks on other critical infrastructure or politicians, the expert explains.

Continue reading after the ad

Kastl cites as another case the cyber breach at Bitmarck, an IT service provider for statutory health insurance companies and provider of the electronic patient record (ePA) in 2023. In this breach, data such as names, dates of birth, and the unique medical record number of the insurance card belonging to approximately 300,000 online customers of various health insurance companies were compromised. At the time, IT experts also identified inadequate authentication measures as one of the reasons for the breach .

For private individuals, such attacks can have serious consequences. In Denmark, a country with a much more digital infrastructure, perpetrators gained access to the most personal information of tens of thousands of patients through a consortium of medical practices, including medical records. Allan Frank, an IT security specialist at the Danish Data Protection Agency, told the RND at the time that such intimate data could be used for blackmail attempts – after all, very few of those affected would want their treatments to become public.

In Germany, most patients apparently feel secure enough with their electronic patient record (ePA) – despite its shortcomings. A few weeks ago, Gematik published updated usage figures. These figures showed a further increase during the first four weeks, in which medical practices, pharmacies, and hospitals were supposed to use the ePA for everyone.

Continue reading after the ad

17.4 million medication list requests were recorded in the last week of October. In the last week of September, the figure was 12.6 million. The population of patient records is also progressing: 10.6 million documents were uploaded in October alone. The total number since the launch of the electronic patient record (ePA) is 37 million.

The proportion of those who have objected to the electronic patient record (ePA) remains comparatively low. As the National Association of Statutory Health Insurance Funds (GKV-Spitzenverband) informed the RND news network, the objection rate remains at approximately five percent.