Data leak in rehab clinics Thousands of patients potentially affected heise online
plead pplead pp
A data leak potentially affects thousands of patients at ZAR rehab clinics across Germany Among other things highly sensitive patient data was accessible
pp
Image Lopolo Shutterstockcom edited by heise online
ppA massive data leak potentially affects hundreds of thousands of patients at ZAR rehab clinics across Germany Among other things highly sensitive medical reports were accessible The affected rehab centers are under the umbrella of Nanz medico which claims to be the largest provider of outpatient rehab services in Germany This includes a total of 39 rehab clinicspp
pp
Image Nanz medico GmbH Co KG
ppDepending on their location the ZAR rehab centers offer treatment options for orthopaedics neurology cardiology oncology and psychosomatics An app called ZAR PAT is used for communication between patients and the rehab center allowing patients to conveniently view daily and weekly schedules as part of their treatment The Android version of the app alone has been downloaded over 100000 timesppHowever the convenience unintentionally came at a high price one user of the app noticed that it was communicating with the internet in unencrypted form and retrieving his schedules from the server in plain text The use of transport encryption TLS has been a standard and rudimentary security measure for apps for many yearspp
pp
Image Informant
ppHacking knowledge was not required to view the data it was sufficient to take a look at the connections at any point during transmission for example with the PCAPdroid analysis app directly on the smartphone There was also no need to overcome security measures Any third party could have easily viewed the unprotected plain text connections for example the internet provider or other users in public networksppBut that was just the beginning when the URL of the server from which the app loaded the appointments was called up in a web browser information about other paths on the server was automatically transmitted Under these paths personal data could be accessed without access control via an unprotected plain text connectionppThis included not only personal data such as first name surname and date of birth but also information about courses attended in the rehabilitation facilities and detailed medical reports that were recorded as part of the therapy for example in the treatment of psychosomatic illnesses These contain sensitive information about the patients life circumstances and state of health such as in this report Looking back on the individual psychotherapeutic sessions looking back on her childhood was rather upsetting for her she had successfully repressed many things that had now come up againppThe extent of the data leak is considerable one of the locations alone apparently delivered data from over 80000 patients The data goes back many years It is not yet clear over what period of time access was possible and who accessed the datappOur informant immediately reported the security problem to the German Federal Office for Information Security BSI and the rehab clinic directly involved which was even documented in his medical records Ironically he was able to reproduce this live on the basis of the data leak Patient just called me and found a data breach based on the app ZARPAT He reported it directly to the BSI and only then informed me I have already informed our IT departmentppOur whistleblower also identified other security problems but the greatest risk by far was posed by the extensive access to highly sensitive patent end data without access protection or transport encryption In the wrong hands the data could cause considerable harm to those affectedppThe clinic apparently passed on the important information to its parent company Nanz medico GmbH Co KG which was then at least able to quickly prevent access to the data Since then the data has been delivered in transportencrypted form and external access to the sensitive information is prevented with an error messageppheise online and ct asked Nanz medico for a statement on the massive data leak on January 22 The company responded As soon as we became aware of this we immediately commissioned the IT service provider to carry out an audit and instructed them to close the gaps without delay These were rectified yesterday afternoon the gaps closed and the existing security settings expanded There were no indications of data leaks or manipulation and further questions on our part remained unanswered such as the number of people affected or whether the responsible data protection authorities were informedppAccording to the provisions of the GDPR the data leak is likely to be a reportable incident In accordance with Article 33 GDPR data controllers must inform the competent supervisory authority of the incident within 72 hours If it is concluded that there is a high risk to the personal rights and freedoms of natural persons all data subjects must also be informed Art 34 GDPR If the controller does not comply with these requirements there is a risk of severe finesppNanz medico only partially responded to our second inquiry a week after the incident As the external security experts are currently carrying out all the necessary checks in accordance with the relevant legal and security standards we ask for your understanding that this requires a conscientious and careful approach There are still no indications of data leaks or manipulation In any case it is undisputed that the data has been accessed by third parties This should also be immediately apparent from the server logsppOur questions about which locations how many patients and which data the company believes to be affected by the data leak remain unanswered The responsible state data protection authorities do not appear to have been informed either as our inquiries revealedpp
pp
Image Nanz medico GmbH Co KG
ppMany of our nvestigative reports are only possible thanks to anonymous information from whistleblowersppIf you are aware of a grievance that the public should know about you can send us information and material Please consider using our anonymous and secure mailboxpphttpsheisedeinvestigativpp
mack
pp
Dont miss any news follow us on
Facebook
LinkedIn or
Mastodon
pp
This article was originally published in
German
It was translated with technical assistance and editorially reviewed before publication
ppp
A data leak potentially affects thousands of patients at ZAR rehab clinics across Germany Among other things highly sensitive patient data was accessible
pp
Image Lopolo Shutterstockcom edited by heise online
ppA massive data leak potentially affects hundreds of thousands of patients at ZAR rehab clinics across Germany Among other things highly sensitive medical reports were accessible The affected rehab centers are under the umbrella of Nanz medico which claims to be the largest provider of outpatient rehab services in Germany This includes a total of 39 rehab clinicspp
pp
Image Nanz medico GmbH Co KG
ppDepending on their location the ZAR rehab centers offer treatment options for orthopaedics neurology cardiology oncology and psychosomatics An app called ZAR PAT is used for communication between patients and the rehab center allowing patients to conveniently view daily and weekly schedules as part of their treatment The Android version of the app alone has been downloaded over 100000 timesppHowever the convenience unintentionally came at a high price one user of the app noticed that it was communicating with the internet in unencrypted form and retrieving his schedules from the server in plain text The use of transport encryption TLS has been a standard and rudimentary security measure for apps for many yearspp
pp
Image Informant
ppHacking knowledge was not required to view the data it was sufficient to take a look at the connections at any point during transmission for example with the PCAPdroid analysis app directly on the smartphone There was also no need to overcome security measures Any third party could have easily viewed the unprotected plain text connections for example the internet provider or other users in public networksppBut that was just the beginning when the URL of the server from which the app loaded the appointments was called up in a web browser information about other paths on the server was automatically transmitted Under these paths personal data could be accessed without access control via an unprotected plain text connectionppThis included not only personal data such as first name surname and date of birth but also information about courses attended in the rehabilitation facilities and detailed medical reports that were recorded as part of the therapy for example in the treatment of psychosomatic illnesses These contain sensitive information about the patients life circumstances and state of health such as in this report Looking back on the individual psychotherapeutic sessions looking back on her childhood was rather upsetting for her she had successfully repressed many things that had now come up againppThe extent of the data leak is considerable one of the locations alone apparently delivered data from over 80000 patients The data goes back many years It is not yet clear over what period of time access was possible and who accessed the datappOur informant immediately reported the security problem to the German Federal Office for Information Security BSI and the rehab clinic directly involved which was even documented in his medical records Ironically he was able to reproduce this live on the basis of the data leak Patient just called me and found a data breach based on the app ZARPAT He reported it directly to the BSI and only then informed me I have already informed our IT departmentppOur whistleblower also identified other security problems but the greatest risk by far was posed by the extensive access to highly sensitive patent end data without access protection or transport encryption In the wrong hands the data could cause considerable harm to those affectedppThe clinic apparently passed on the important information to its parent company Nanz medico GmbH Co KG which was then at least able to quickly prevent access to the data Since then the data has been delivered in transportencrypted form and external access to the sensitive information is prevented with an error messageppheise online and ct asked Nanz medico for a statement on the massive data leak on January 22 The company responded As soon as we became aware of this we immediately commissioned the IT service provider to carry out an audit and instructed them to close the gaps without delay These were rectified yesterday afternoon the gaps closed and the existing security settings expanded There were no indications of data leaks or manipulation and further questions on our part remained unanswered such as the number of people affected or whether the responsible data protection authorities were informedppAccording to the provisions of the GDPR the data leak is likely to be a reportable incident In accordance with Article 33 GDPR data controllers must inform the competent supervisory authority of the incident within 72 hours If it is concluded that there is a high risk to the personal rights and freedoms of natural persons all data subjects must also be informed Art 34 GDPR If the controller does not comply with these requirements there is a risk of severe finesppNanz medico only partially responded to our second inquiry a week after the incident As the external security experts are currently carrying out all the necessary checks in accordance with the relevant legal and security standards we ask for your understanding that this requires a conscientious and careful approach There are still no indications of data leaks or manipulation In any case it is undisputed that the data has been accessed by third parties This should also be immediately apparent from the server logsppOur questions about which locations how many patients and which data the company believes to be affected by the data leak remain unanswered The responsible state data protection authorities do not appear to have been informed either as our inquiries revealedpp
pp
Image Nanz medico GmbH Co KG
ppMany of our nvestigative reports are only possible thanks to anonymous information from whistleblowersppIf you are aware of a grievance that the public should know about you can send us information and material Please consider using our anonymous and secure mailboxpphttpsheisedeinvestigativpp
mack
pp
Dont miss any news follow us on
LinkedIn or
Mastodon
pp
This article was originally published in
German
It was translated with technical assistance and editorially reviewed before publication
ppp
