More than 1 million patient data ended up unprotected on the Internet

On August 12, 2022By Garmin Philip

Vulnerability in practice software

Not compliant with data protection: Patient data ended up on the Internet for unauthorized persons to view via practice software. Several 10,000 patients were affected.

News

Doctor's assistant digitally records a patient's data at reception — Data from medical practices ended up unprotected on the Internet.

It doesn’t get much more private than your own health data. It actually goes without saying that such data is stored as securely as possible.

Like the software collective “exploration” found out and together with “NDR” and “WDR” reported, this is not always the case. By June 2022, more than one million patient data from around 60,000 patients would have ended up largely unencrypted on the Internet via a security gap in the practice software inSuite from the company Doc Cirrus. In addition to personal data, these also include invoices and reports.

With inSuite, medical practices are supposed to prevent such data leaks. Because the software, which has been certified by the National Association of Statutory Health Insurance Physicians and the DQS certification body, among other things, makes it possible to store patient data in the practice on its own server instead of storing it centrally at Doc Cirrus. Patients can then access this data via a health portal.

But the portal contained a vulnerability. Using the browser’s development tools, it was possible to read out the access data for e-mail inboxes in most medical practices – and then to monitor their entire e-mail traffic. In addition, the data sent between the practice server and the health portal was not sufficiently secured. Unauthorized persons could query all existing patient data in unencrypted form, including personal information such as name, address, insurance status, diagnoses, referrals, blood values and, in some cases, prescribed medication – across multiple medical practices.

After “Zerforschung” forwarded the security gap to the Berlin state data protection officer and the BSI, Doc Cirrus switched off the software completely. It confirmed the gap to the collective and announced further action. However, it is not known that those affected were informed about the vulnerability as promised.

The software has been available again since August. In a press release lets Doc Cirrus say:“The programming errors have now been corrected, the affected services are mostly active again, only one last service will be made available again as soon as possible after an update.” In addition, according to our own analyses “No reason to assume that outside of the responsible disclosure procedure (Editor’s note: the approach through research) Practice or patient information was viewed or tapped by third parties.”