Following the nationwide launch of the electronic patient record (ePA), the Chaos Computer Club (CCC) has discovered another security vulnerability. Acting Federal Health Minister Karl Lauterbach (SPD) responded to a related report by Der Spiegel on the online platform X on Wednesday evening. He linked to the article and wrote: "I am grateful to Gematik for responding immediately to the initial indications and for closing this security gap as well."
Gematik, the company responsible for the technical implementation of the ePA, confirmed that it had received information indicating that the Chaos Computer Club had described a scenario allowing unauthorized access to electronic patient records. According to the report, access to certain information could be gained via electronic substitute certificates for health insurance cards, potentially enabling access to individual patient records.
Gematik stated it had closed the security gap, which "could have affected individual policyholders of certain health insurers." Affected users are being identified and protected.
After several months of testing in three pilot regions, the ePA was launched nationwide on Tuesday. The system allows a patient's entire medical history to be viewed at the push of a button. The goal is to enable doctors to immediately understand what treatments have been performed, where risks lie, and whether additional preventive care is advisable.
According to the Health Ministry, the data is stored on secure servers and encrypted in the ePA. Even before the test phase, the Chaos Computer Club had reported vulnerabilities, which Lauterbach said have since been resolved. These security measures were implemented in cooperation with the Federal Office for Information Security (BSI).
From breaking news to thought-provoking opinion pieces, our newsletter keeps you informed & engaged.
