German patient data could be accessed unprotected on the Internet. The gap has now been closed, but the affected patients will probably not be informed.
German patient data was unprotected on the internet: 1 million data sets.
It is the “InSuite” software from Doc Cirrus, as reported by the Tagesschau. Doctors can use it to manage patient appointments, but above all the digital patient files. Laboratory findings can also be shared with patients or other doctors via “InSuite”. The data is decentralized on small servers, called “data safe” by Doc Cirrus, in the respective medical practices, so it is not a central cloud service. This should increase security.
But the security researchers at Zerforschung gained access to the e-mail accounts of the medical practices registered with “InSuite” without any problems. The researchers could then have viewed the entire e-mail communication between doctor and patient. The security experts also found other gaps that allowed access to the patients’ personal data: diagnoses, laboratory findings, blood values or certificates. According to the Berlin data protection officer, more than 60,000 patients from more than 270 practices are affected. It’s about a million records.
Anyone else interested could have done the same. The sensitive data was not adequately protected.
Security researchers informed manufacturers
The security researchers informed Doc Cirrus and the responsible authorities. The company shut down the system and confirmed the vulnerability. The company immediately closed the loophole that was caused by programming errors. No sensitive data was leaked, as Doc Cirrus writes: “Our analyzes of logs and access patterns offer no reason to assume that practice or patient information was viewed or accessed by third parties outside of the responsible disclosure process.”
However, Doc Cirrus does not give details of the problem or the number of doctor’s offices affected. Doc Cirrus is also silent when asked if the affected patients have been informed; it only confirms that it has informed its customers, for example the medical practices, and the authorities. AOK Nordost, a user of “InSuite”, says that the affected patients were not informed. According to AOK Nordost, there was no data breach. Most of the “InSuite” services are now available again.
Zerforschung detailed here how it found and analyzed the vulnerabilities.