c't reveals: data protection violations at TI connectors in the healthcare sector

Statutory health insurance patients insert their electronic health card (eGK) into a card terminal when visiting a doctor. The terminal is connected to the Telematic Infrastructure (TI) via a connector and exchanges master data of the insured (VSDM) with the statutory health insurance companies, among others.
Patient data is only a concern of the doctor and the insurance company. Therefore, this data has no place in the connector logs. The specifications of the Gematik responsible for the TI (gemSpec_Kon_V4.11.1.doc and gemSpec_Kon_V5.8.0.docx) therefore require the same wording: "Personal data MUST NOT be stored in log entries."
c't found personal data of patients in the logs of the Secunet connector.

That's why we were quite astonished when we came across personal data in the log files of connectors during our investigations into TI failures. We found them in the logs of the T-Systems connector between October 2018 and December 2020. In 2020, this was exchanged nationwide for the one-box connector from Secunet. At Secunet we found personal data from May 2020 to the end of our test period in July 2021.

Serial numbers have been saved

The system and security logs saved the serial number of the crypto certificate of the eGK for each VSDM error. The ICCSN (Integrated Circuit Card Serial Number) of the eGK was added to the VSDM logs of the connectors. Insured persons can be assigned at least indirectly via these numbers. According to the specifications mentioned, they are therefore part of the personal data: "The ICCSN must not be stored with (the) security protocol," it says there under point TIP1-A_4710. The logs also clearly identify the practice. According to Gematik, only "service provider institutions and service providers commissioned by them" should have access to the logs, but not the Trust Service Provider (TSP), who issue the crypto certificates of the eGKs.
If the log data is illegally merged with that of the card manufacturer or TSP, it would be possible to determine which patient consulted which doctor and when. You would find out when Mr. Meier was at the psychiatrist's and during what period of time Ms. Müller was being treated in an addiction clinic.
We reported this to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in mid-January. On February 14, the latter determined "a data protection violation pursuant to Art. 33 (1) GDPR". According to Christof Stein, spokesman for the BfDI, Gematik informed the manufacturer Secunet. According to this, the Secunet connector still logs personal data even with the current firmware 4.10.1 and thus violates the GDPR. Secunet wants to fix this in an upcoming update of the connector. Secunet did not want to answer inquiries from c't.
A lot of c't investigative research is only possible thanks to anonymous information from whistleblowers.
If you are aware of a grievance that should be known to the public, you can send us information and material. Please use our anonymous and secure mailbox for this.


Black Peter

When asked who was responsible for the GDPR violation, the BfDI replied: "Responsible for the connectors under data protection law are those who use them for the purposes of authentication and electronic signature as well as for encryption, decryption and secure processing of data in the central infrastructure use, insofar as they have a say in the means of data processing."
When asked, the BfDI explained that these were "doctors and service providers" – and not the Gematik responsible for operating the TI, which approved the faulty connectors. Gematik did not explain why it did not discover the violation of specifications during the approval tests. This is all the more incomprehensible because the same error occurred with the KoCoBox connectors back in 2018 and had to be fixed.

Comment: Telematics is the BER of the IT industry

Physicians must use connector

However, doctors and service providers were legally obliged to connect to the TI via a Gematik-approved connector under threat of reduced fees. You have no way of stopping the logging of personal data unless you turn off the connector.
At the time of going to press, the BfDI was still discussing with Gematik whether doctors need to switch off the Secunet connectors, which violate the GDPR, and how affected patients should be informed. C't's questions about possible fines and claims for damages also remained unanswered. The tricky case should keep lawyers busy for a long time.


C't 6/2022


The Raspberry Pi Foundation is celebrating the 10th birthday of its handicraft computer, we're celebrating with you! The status of digitization in administration is less reason to be happy. We have checked which administrative procedures can already be completed digitally. We've also tested oversized monitors, home UPSs, and car launcher apps, and we share tips on how to save on taxes.

Related Posts

Leave a Reply

%d bloggers like this: