Excitement in Tyrol – hacker attack? Thousands of PCR test results leaked


The next explosive chapter in the “HG Pharma” case: In Tyrol, apparently more than 24,000 positive PCR test results were leaked from January to June, ie made public. The ex-managing director of the criticized company HG Lab Truck, a subsidiary of HG Pharma, Ralf Herwig, sent the data in August by email in the form of Excel sheets – encrypted, as he emphasizes.

Herwig confirmed this and explained the alleged leak by saying that he had been the victim of a hacker attack. This was reported by “Der Standard” and ORF Tirol. Further checks had shown this, namely that there had been a hacker attack on his mailbox, Herwig said. He sent the mail on August 10 for the purpose of a “back-up”. It was very well encrypted, said the controversial urologist, after initially there was talk of an unencrypted transmission.

Investigations initiated
Because of the data leak, he initiated “IT forensic investigations”, said Herwig, whose company originally carried out the PCR tests for the state of Tyrol. Until the investigations are completed, he could not provide any further information. Then he would inform the competent authority and file a criminal complaint, announced the ex-HG Pharma boss.

Sensitive data
According to the reports, the data with the results include the patient’s name, place of residence, dates of birth and details as well as the respective virus mutations. Names of well-known politicians such as those from List Fritz boss Andrea Haselwanter-Schneider and ÖVP National Council member Franz Hörl are said to be among them.

Fatal consequences for those affected are possible
The whole thing will also be a case for the data protection authority. This will now initiate an examination on suspicion of a violation of the General Data Protection Regulation, and administrative criminal proceedings are also possible, it said. Those affected could also file a complaint with the authority. In the “Standard”, privacy advocates criticized the fact that such sensitive information should not simply be sent by e-mail. If such data were to circulate, it could have serious consequences for those affected.

According to the “standard”, the recipient of the e-mail is an external IT technician. His former employer, an IT company, would accuse him of having illegally taken over the software it programmed itself to process PCR test results and of using it without their consent.

“Duty to protect sensitive data”
The state emphasized that, based on the current state of knowledge, it could be ruled out that health data from its own servers and systems were made public, as the APA said: to protect sensitive data. “

The respective “data processing contractual partner” is responsible for the implementation and compliance with the data protection regulation. “If it is actually true that health data has been passed on to third parties contrary to the agreements, this must be condemned in the strongest terms and the state of Tyrol reserves the right to take legal action,” said those responsible.

Vortex around direct award
The case of HG Pharma or HG Lab Truck has been a concern of the media and politics, but also the judiciary, since spring. The black and green Tyrolean state government came under fire at the beginning of May because of the cause. Above all, the direct award of the around eight million euro contract without a tender to the Herwigs company last September caused sharp criticism. The country always denied unlawful action. The HG Lab Truck had apparently partly incorrect mutation evaluations in the Tyrolean PCR samples.

By the way, the country ended its collaboration with HG Lab Truck after all the excitement. The company did not get a chance after a tender.