Berlin According to the association, several general local health insurance companies (AOK) are affected by a security gap in software for data transmission.
The AOK Federal Association announced on Friday that it would be checked whether this enabled access to social data from insured persons. Social data is personal data about the insured such as address, date of birth, pension insurance number and tax identification number.
The AOKs Baden-Württemberg, Bavaria, Bremen/Bremerhaven, Hesse, Lower Saxony, Rhineland-Palatinate/Saarland, Saxony-Anhalt and AOK Plus in Saxony and Thuringia as well as the federal association are affected. The health insurance companies have a total of around 19 million insured persons.
The gap enables unauthorized access to an application that is used to exchange data with companies, service providers and the Federal Employment Agency. After the vulnerability in the software was identified on Thursday, measures to secure data were immediately initiated.
In addition, the Federal Office for Information Security (BSI) was informed. The authority wrote in a statement on Friday that it was “observing the active exploitation of the vulnerability with confirmed data leakage.”
Read more: BSI has practice software checked
The IT security researcher Martin Tschirsich therefore warns that the damage could be even greater. In addition to the AOK, the BSI, the affected IT company Moveit and the IT blog TrustedSec informed about the incident. According to Tschirsich, attackers could not only view, copy and delete data. You could also have logged into the affected software and penetrated even deeper into the system, he told the Handelsblatt.
Cyber attack on health insurance companies in January
“Health data is highly worthy of protection,” said the FDP digital expert Maximilian Funke-Kaiser to the Handelsblatt. “In order to minimize the risk of a data leak, we therefore need more regular risk assessments.” The software must be securely programmed from the ground up with minimum standards. “This approach is also anchored in the coalition agreement.”
The former data protection officer of Baden-Württemberg, Stefan Brink, described security gaps in the area of health and social data as “particularly serious”. Because the data concerned are particularly meaningful, Brink told the Handelsblatt. They would reveal intimate information about the health and social status of affected individuals.
“That’s why such data also enjoys special protection and requires maximum security,” emphasized Brink. “In the wrong hands, such information can endanger jobs, give rise to defamation, discrimination and even blackmail.”
Health insurance companies have recently been increasingly targeted by hackers. At the beginning of the year, a cyber attack leaked data from patients with statutory health insurance. In mid-January, a cybercriminal stole data from the health IT service provider Bitmarck and published it on the dark web. Bitmarck develops and operates IT applications for around 80 statutory health insurance companies, which insure a total of 25 million people.
Bitmarck told the Handelsblatt at the time: “It is general information such as first names and surnames as well as insurance numbers.” Address data is not included. Bitmarck did not provide any information about the number of insured persons affected.
At the end of April, however, Bitmarck was again the victim of a cyber attack. To date, not all systems of the affiliated health insurance companies have been fully restored. However, there is said to have been no further theft of policyholder data.
More: Data stolen from health insurers