The Chaos Computer Club (CCC) has criticized the handling of alleged security vulnerabilities in the “electronic patient record for all” project by German Federal Minister of Health Karl Lauterbach (SPD). According to CCC member Martin Tschirsich, the concerns were not taken seriously for months. A spokesperson for the Health Ministry denied the CCC’s claims, stating that the representation was “not correct”.
Tschirsich claims that the vulnerabilities could allow criminals to gain access to sensitive health data. The electronic patient record, which will be introduced in the coming weeks, is expected to store diagnoses, doctor’s notes, medication, and other health data in a central database for over 70 million Germans. The CCC claims to have demonstrated that an attacker could gain access to all digital patient records.
Tschirsich stated that he had informed the Gematik, the National Agency for Digital Medicine, of the security issues in August 2024, and had practically demonstrated the vulnerabilities in December 2024, just before a planned presentation at the CCC’s congress in Hamburg.
After the CCC’s concerns, Lauterbach contacted the organization through his office, requesting a personal meeting, which took place via video conference on December 20. However, the CCC members did not have the opportunity to present their concerns and discuss additional security issues.
“‘He told us that the electronic patient record is coming, no matter what,’ said Tschirsich, adding that Lauterbach informed them that the project would proceed without addressing the security issues they had raised. However, the ministry would develop measures to make a large-scale attack more difficult.”
A spokesperson for the Health Ministry stated in response to the “Stern” that the attack scenario presented by the CCC in December was “new in this combination.” The ministry and the Gematik had reacted directly to the issue, and the new security vulnerability was being addressed and would be resolved before the electronic patient record was launched in Germany. The spokesperson added that the pilot phase would not be affected by the security issue, as only registered doctors with a legitimate reason would have access to patient records in the context of treatment.
The Gematik also responded, stating that the CCC’s attack scenario was unknown until December and had necessitated a new risk assessment. The Gematik had addressed the CCC’s points with a package of measures, and after the measures were implemented, the nationwide rollout would not be hindered.