Electronic patient files: Chaos Computer Club criticizes Lauterbach

Before the gradual introduction of the “electronic patient file for everyone” begins on January 15th, the Chaos Computer Club (CCC) criticized Federal Health Minister Karl Lauterbach’s (SPD) handling of alleged security gaps in the prestigious project. CCC member Martin Tschirsich reported in an interview with that that their concerns were not taken seriously for months star.

When asked, a spokesman for the Ministry of Health rejected the CCC’s representation as “not correct”.

According to Tschirsich, criminals could gain extensive access to sensitive health data through the vulnerabilities. In the coming weeks, more than 70 million German citizens will receive electronic patient files, in which diagnoses, doctor’s letters, medications and other health data will be recorded centrally. According to Tschirsich, the CCC has proven “that attackers would be able to access all digital patient files.”

According to Tschirsich, he had already informed the Gematik agency about the manipulation possibilities in August 2024. As the “National Agency for Digital Medicine”, Gematik is responsible for the telematics infrastructure, i.e. the secure networking of medical care within Germany. In December 2024, Tschirsich continued, he demonstrated the security gaps in practice, shortly before a planned publication of the findings at the CCC Congress in Hamburg.

Health Minister Karl Lauterbach then contacted the CCC through his office and “very urgently” asked for a personal conversation, said Tschirsich. However, at a video conference on December 20, CCC representatives did not have the opportunity to raise their concerns or address further security deficiencies. “He made it clear to us that this file was coming – come what may, that was our impression,” said Tschirsich. Lauterbach informed them that the electronic patient file would be introduced on January 15th, “even without resolving the causes of possible attacks that we criticized.” However, measures would be developed to make a large-scale attack more difficult.

When asked, the Federal Ministry of Health stated that the attack scenario presented by the CCC in December was “new in this combination”. “Both the Federal Ministry of Health and Gematik reacted directly to this,” said a spokesman. “This new security gap is currently being technically resolved and will be resolved by the time the ePA (editor’s note: electronic patient file) is launched in Germany. The ePA for all will not go online until such risks of mass attacks have been ruled out. ” In the pilot phase, the CCC attack scenario is not relevant because only doctors registered for the test phase have access to patient files in the treatment context.

When asked, Gematik also said that the CCC’s attack scenario was unknown until December and had “made a new risk assessment necessary”. Gematik addressed the CCC’s points with a package of measures. Once the measures have been implemented, nothing stands in the way of the nationwide rollout.