The electronic patient record (EPR) is once again the focus of criticism: security researchers have recently uncovered serious vulnerabilities in the infrastructure that could potentially allow access to sensitive health data. This was revealed in a Spiegel investigation. Despite the protective measures already implemented, the latest revelations show that the ePA is still vulnerable to attacks. This raises questions about the effectiveness of previous security concepts and calls for a reassessment of the digital health strategy.
- Hackers have been able to circumvent new ePA protection mechanisms.
- Access to personal data such as insurance start date and address was possible.
- Gematik responded with emergency measures and suspended affected procedures.
- Experts are calling for a comprehensive review and improvement of IT security.
New attack scenarios despite updated security measures
In the first week after the official launch of the electronic patient file (ePA), another security vulnerability was uncovered. According to a report in “Der Spiegel”, the Chaos Computer Club (CCC) was able to circumvent a central new protective measure and informed the relevant authorities. The operator organization Gematik reacted immediately with an emergency measure and suspended the affected procedure – the so-called electronic replacement certificate – for the time being. Hackers were able to use this certificate to automatically retrieve personal data such as the start date of insurance and address in order to calculate the new test value introduced for security purposes. According to Gematik, however, there are no indications of unauthorized access to patient files so far.
The CCC had already uncovered several vulnerabilities in the ePA system at the end of 2024, which is why the launch was postponed. According to Federal Health Minister Karl Lauterbach, the ePA will only be fully introduced once all potential attacks – including those by the CCC – have been technically ruled out.
Reactions and political consequences
The incident also has political consequences: Health authorities and data protection officers are now calling for a comprehensive review and further investment in the IT security of the ePA platforms. The electronic patient record is regarded as a central element of the digitalization of the healthcare system – however, trust in its security has been increasingly shaken.
Gematik emphasizes that the highly sensitive data contained in the ePA is protected by a special security concept. However, according to Der Spiegel, this is not the case. On the other hand, a review by the Fraunhofer Institute for Secure Information Technology (SIT) in September 2024 concluded that the system architecture was appropriate overall, but could still be improved. The SIT’s final report identifies a total of 21 vulnerabilities, 4 of which are classified as “high”.
Conclusion
The recent revelations about security vulnerabilities in electronic patient records underline the need for a comprehensive review and improvement of IT security measures. Although Gematik and the Federal Ministry of Health have reacted quickly, confidence in the security of the ePA remains shaken. Successful digitalization of the healthcare system requires not only innovative technologies, but also robust security concepts that guarantee the protection of sensitive patient data
