Software for medical practices from the Berlin-based company Doc Cirrus is used by many doctors in Germany. The only problem is that the highly sensitive health and patient data is not as private as it should be. A security hole in the software made patient and health data accessible to third parties. More than one million data records of an estimated 60,000 patients are said to have been affected.
Doc Cirrus: inSuite practice software with data leak
Actually, the practice software inSuite developed by the Berlin-based company is supposed to make the work of doctors much easier. The cloud-based software is to be fully according to manufacturer among other things modular and expandable, work completely maintenance-free and offer maximum data protection, it says on its own homepage.
That just the latter is apparently not so, proves the collective Zerforschung in its report, as reported by Tagesschau. More than a million data records containing highly sensitive patient and health data were lost due to massive security breaches and made fully accessible to unauthorized persons, Zerforschung said. According to estimates, around 60,000 patients were affected.
According to the report, the collective was able to gain access to the e-mail accounts of the medical practices registered with the software. These get with inSuite data safes at hand – small private servers for the respective practice, which is not accessible via the Internet, but centrally controlled by a service of Doc Cirrus.
Email traffic freely viewable
Exactly in this external access was then also the security gap. Thus, it was possible for Zerforschung to obtain the complete access data to the general e-mail box of corresponding medical practices and thus to read all e-mails received by the practice.
“And in it are not infrequently most private information about patients*innen,” so Zerforschung in the blog post. And that despite existing end-to-end encryption, which apparently did not extend to the sensitive documents. Personal data such as names, diagnoses, blood values and in some cases even prescribed medications could be accessed freely and unencrypted, he said.
Company completely shuts down software
Zerforschung had forwarded the collected findings directly to the German Federal Office for Information Security (BSI) and informed manufacturer Doc Cirrus, which also responded promptly and completely shut down the portal inSuite.
The company informed about this in a press release dated July 11, 2022 on its own homepage and attributes the security vulnerability to a programming error in its own software.
“The affected services were immediately deactivated and checked by us after receipt of the message,” said Doc Cirrus. Internal analyses of log files and access patterns, however, offered no reason to believe that practice or patient information had been viewed or accessed by third parties, it added.
The programming errors have since been corrected and the affected services “are for the most part already active again”. How many medical practices use the software in Germany at all and which of them were affected by the security gap, one did not want to reveal, however.
Also, whether patients were informed about the security gap, one did not indicate. Under the umbrella of the Tagesschau NDR and WDR point out, however, that although Doc Cirrus advertises the particularly high security of its solution with many certificates, these are not for data protection.
The IT security of the management systems for medical practices is solely in the hands of the respective providers, the National Association of Statutory Health Insurance Physicians (KBV) informs at the request of NDR and WDR.