Effortless access to patient data possible

Health insurance: Patient data apparently not sufficiently protected

06/26/2014

The patient data of several million health insurance fund members in Germany may not be sufficiently protected. In any case, a test of the „Rheinische Post“ (RP). He had shown that access to the sensitive data is almost without any special IT knowledge possible.

Self-test on the subject of privacy
How safe is my personal information? This question comes up again and again, especially when once again a new privacy scandal hits the headlines. To find out how well the patient data of the insured health insurance company members in Germany are protected, the „Rheinische Post“ (RP) now done a self-experiment. The result: The sensitive data on treatments, diagnoses and prescriptions are apparently insufficiently protected and access by third parties easier than imagined.

No special IT skills required
As the RP reports, the test revealed that even Internet laypersons could get information about other legally insured persons with a simple telephone call and a few mouse clicks. All that is necessary for this is the name of the health insurance member and the insurance number - no difficult task, because it can be clearly read on the front of the chip card. If these data are available, it would be possible to obtain sensitive information quickly and easily via online branches of the health insurance funds - because the security precautions during the registration process are usually inadequate with regard to these service offers.

Name and insured number sufficient for registration in online offices
According to the RP, a tester from southern Germany had been able to obtain data on the physicians and prescribed medicines to be treated via the name and the insurance number of an editorial member of the newspaper - even though the two persons did not even know each other. A frightening result, because it would have been in the file of „scouted“ Editors information on serious illness or mental suffering given, these would have been easily visible to the foreign testers. Not even the card itself was necessary to receive the sensitive data from the Barmer, the RP continued. But not only the Barmer offers its members an online administration of their data, but also other insurance companies such as AOK, technicians, DAK or company health insurance funds. However, these offers had not been tested.

Employers could easily query the health status of employees
For the Barmer, however, according to RP, an isolated case in which it is „to trade a mistake of an employee“ must, „As the health insurance company points out, "strict safety regulations" would normally be followed in dealing with patient data by always requiring the date of birth and place of residence for access, but data in the age of the Internet In principle, they are also no longer a secret, but can also be found on the insurance card or simply found in networks or online directories, and these data would be available to employers anyway - which would theoretically make it possible to query employees' state of health as well.

Barmer wants to train employees again and check safety regulations
As the Barmer announced to the RP, the test still meant „In addition, the Federal Insurance Office as the supervisory authority reacted to the test result according to the RP and announced further action: „We use your descriptions as an opportunity to subject the legal security of communication between the insured and the health insurance companies to a fundamental examination.“ What is urgently needed, according to Thomas Reisener (RP), because as the editor writes in a comment to the current test, the Barmer protect even the most sensitive medical details of its members „barely better than a allotment club membership list“. Also, the assumption would be close, that there would be such security gaps with other funds. However, this problem should not be passed on to the users of the online services - instead, according to Reisener, legislators and providers would have to take action and provide more protection. (No)