German Health Minister Karl Lauterbach has pushed forward the electronic patient file (ePA), despite warnings from various groups. The pilot phase began on January 15, and the project is expected to be rolled out for all statutorily insured individuals who do not object by February. However, a coalition of medical, consumer protection, and information technology organizations is now calling for the project to be stopped, citing grave security concerns.
Lauterbach, who had previously been criticized for spreading misinformation about the COVID-19 vaccine, has been promoting the ePA, downplaying the risks and concerns raised by experts. He has been joined in his efforts by Alena Buyx, a former ethics chief and current curator of the Bertelsmann Foundation, who has acknowledged that the ePA is not completely secure but believes the risks are worth taking.
On the other hand, medical professionals, IT specialists, and consumer advocates see the situation very differently. In an open letter, 28 organizations and 17 individuals from various fields have called on the health minister to address the concerns and ensure the ePA is safe before its nationwide rollout. They are demanding that patients, doctors, IT experts, and civil organizations be substantively involved in the current test phase, and that the project only be implemented after a “joint positive assessment of the experiences in the pilot regions.” Independent experts should also be allowed to regularly inspect the ePA for security vulnerabilities, they emphasize.
Critics have also pointed out the long-standing issue of the “authorization management” which allows any healthcare employee to access sensitive patient data, including information about mental health, medical conditions, and medications that could lead to stigmatization.
The ePA’s security is considered to be even lower than that of online banking, according to the Free Doctors Association. The data is stored in a cloud by private companies IBM and Rise, and there is no end-to-end encryption. Anyone with a person’s name, date of birth, and health insurance number can easily obtain a card with access to their medical records, the association claims, citing a recent hacking incident that left 300,000 patient records exposed.
Moreover, the ePA’s design allows any employee in the healthcare system to access patient data, not just doctors and nurses, but also pharmacists, physiotherapists, and even fitness trainers. This could lead to a “heinous extortion potential” according to Wieland Dietrich, the head of the association.
Security experts from the Chaos Computer Club (CCC) have demonstrated how easily hackers can obtain health insurance cards and access patient data. They warn that the ePA’s current design would give criminals a “free pass” to access over 70 million patient files.
It remains to be seen if the future government will change course on the ePA, given the involvement of private companies in the project. For now, however, individuals can still object to the ePA.