Berlin According to the association, several general local health insurance companies (AOK) are affected by a security gap in software for data transmission.
The AOK Federal Association announced on Friday that it would be checked whether this enabled access to social data from insured persons. Social data is personal data about the insured such as address, date of birth, pension insurance number and tax identification number.
The AOKs Baden-Württemberg, Bavaria, Bremen/Bremerhaven, Hesse, Lower Saxony, Rhineland-Palatinate/Saarland, Saxony-Anhalt and AOK Plus in Saxony and Thuringia as well as the federal association are affected. The health insurance companies have a total of around 19 million insured persons.
The gap enables unauthorized access to an application that is used to exchange data with companies, service providers and the Federal Employment Agency.
After the vulnerability in the software was identified on Thursday, measures to secure data were immediately initiated. In addition, the Federal Office for Information Security (BSI) was informed.
Cyber attack on health insurance companies in January
“Health data is highly worthy of protection,” digital expert Maximilian Funke-Kaiser told Handelsblatt. “In order to minimize the risk of a data leak, we therefore need more regular risk assessments.” Software must be securely programmed from the ground up with minimum standards. “This approach is also anchored in the coalition agreement.”
Health insurance companies have recently been increasingly targeted by hackers. As a result of a cyber attack, data from patients with statutory health insurance was leaked at the beginning of the year. In mid-January, a cybercriminal stole data from the health IT service provider Bitmarck and published it on the dark web.
Bitmarck develops and operates IT applications for around 80 statutory health insurance companies, which insure a total of 25 million people.
Bitmarck explained to the Handelsblatt at the time: “It is general information such as first names and surnames as well as insurance numbers.” Address data is not included. Bitmarck did not provide any information about the number of insured persons affected.
At the end of April, however, Bitmarck was again the victim of a cyber attack. To date, not all systems of the affiliated health insurance companies have been fully restored. However, it is said that there was no renewed theft of policyholder data.
More: Health insurance data stolen