Doc Cirrus: Tens of thousands of patient data were freely available on the internet

Personal data, invoices and findings – data from tens of thousands of patients in German medical practices was largely unsecured, according to the hacker collective “Zerforschung”. The security problem existed at Doc Cirrus, a manufacturer of doctor & practice software. The company has confirmed the vulnerability and claims to have closed it in the meantime.

The company’s “data safe” concept was actually intended to prevent major security leaks. Instead of storing data centrally on the Doc Cirrus servers or with a cloud provider, the company offered medical practices their own microservers. Doctors can process patient data directly on these computers, which are located in the practice itself, and also grant patients access to the documents relating to them via the Internet.

From e-mail accounts to laboratory results

This external access aroused interest the security researchers who had already uncovered numerous security gaps in the German healthcare system in the past. According to the post by »Zerforschung« they noticed a whole series of serious problems .

On the one hand, they found the internal access data of the doctors’ practices via the central access portal of Doc Cirrus, so that potential attackers could access the doctors’ collected e-mails or write e-mails on their behalf. On the other hand, it was possible to access all documents stored on the respective practice server via a patient’s access link.

Like NDR and WDR

to report, the responsible Berlin data protection officer assumes that 270 medical practices and more than 60. patients were affected. Among other things, diagnoses, laboratory values ​​and sick leave could be called up from them, according to “Zerforschung” also personal data such as address and e-mail addresses found.

Penalty requested

In a press release dated 10. July the manufacturer had admitted security problems and initially switched off the affected services. However, after the programming errors in the portal had been closed, Doc Cirrus saw no further need for action. “Our analysis of logs and access patterns gives no reason to assume that outside of the Responsible Disclosure process, practice or patient information was viewed or accessed by third parties,” writes the company.

The hackers praise the quick response to their security alerts Manufacturers, however, are disappointed that the patients have obviously not been informed about the gaps and the associated risks.

They point out that potential attackers also have access to the log files of the servers had, so a potential break-in could have been concealed. They are also asking the data protection officer to impose a severe fine on the company. “If a product is market-ready enough to store personal data, it must also be mature enough to keep it to itself,” judges “Zerforschung”.

Related Articles

Back to top button