A whistleblower has uncovered a security loophole in the objection procedure for the electronic patient record (ePA). According to their own statements, they submitted an objection on behalf of a patient to the health insurance company Barmer in April – with only the name, address and a fictitious signature. No identity check was carried out, the whistleblower told the “Handelsblatt” (Tuesday edition). The patient was informed about the procedure beforehand. Shortly thereafter, she received an email confirmation of the deletion of her ePA.
The whistleblower, who works as a service provider in the health insurance sector, criticizes inadequate verification mechanisms. “The health insurance companies obviously have no identity data to ensure that an objection is actually from the insured person” he said. Barmer rejected the accusation. An objection cannot be made without the participation of the affected person, the company referred to the corresponding form for an objection, which provides a field for the health insurance card number. However, according to the form, this entry is only required for co-insured persons.
Upon request, the Federal Ministry of Health (BMG) stated that it could not comment on individual cases. “Health insurance companies are obliged to implement the objection process simply and securely” said a spokesperson. In the described case, it was not a technical weakness of the ePA, but rather a case of document forgery.