Data leak: Doctor's office puts 30,000 patient records online

As the German c't Magazin reports on 22/11/2019, the unimaginable is happening in Hanover: all internal documents are from an orthopaedic practice located there, including, according to c't, for example, employment contracts, notes, the business evaluation, but even more seriously, the master data of around 20,000 patients and the patient records of around 30,000 patients can be viewed completely on the Internet.

According to c't Magazin, only the IP address of the server was needed to access the data unhindered. Findings, health data, address data, treatment information, and more was made completely unnoticed on the Internet over a previously unknown period of time.

According to research by c't Magazine, this was partly the responsibility of a configuration setting of a computer configured in practice, which made the server in practice accessible for the Internet. In addition, information on the server was also not sufficiently secured, as it had been accessible over the network even without authentication.

In accordance with the General Data Protection Regulation (GDPR), all interested parties must be informed directly of the events in this case. In concrete terms, this means that all possible persons concerned must also be informed of the possible consequences. According to net life's IT experts, whoever tapped this data is not easily ascertainable. In this way, connection data could be evaluated, if it has been stored at all. Also according to the information available to the c't magazine, no break-in into the systems was necessary, as they offered the data completely free, unencrypted, and not even secured by username and password on the Internet, such as a freely accessible website. In addition, the General Data Protection Regulation requires the competent supervisory authority to be informed within 72 hours. c't magazine reports that they did not respond to a request for comment on how the incident was handled in practice.




David Bouck-Standen (M.Sc.)
Sen. IT-Consultant, NetAlive Ltd
Data Protection Expert

According to the General Data Protection Regulation ( It is not for nothing that the General Data Protection Regulation provides for a data protection assessment for this type of personal data prior to the processing of the data. In a data protection assessment, the controller of the processing must, among other things, assess the risk of a possible loss of data or access by third parties to the data that is worthy of protection for the data subject, and the risk that such an incident may result in Entry.

If one bases the research of the journalists on the c't magazine, probably the IT in the doctor's office has been powerfully muddy. The use of computer systems does not release a controller from his responsibility to adequately protect personal data. Adequate protection provides for the management of possible technical risks. It is not enough to simply install systems and use them blindly. This results, as in this case, in a data protection disaster.

This is probably not an isolated case. C't Magazine notes that the circumstances were facilitated by a router configuration, which the companies in question are now trying to fix with appropriate updates. However, it is our expert view that in this case this may have facilitated access to the patient data only simplistic, since the server was also grossly misconfigured by rights management. This means that, in our opinion, access could have taken place due to the poor IT configuration of the practice if other devices had been used. The configuration there allowed access for "everyone" who had access to the network. The security configuration of the server allowed such access, so that it was also possible directly and without security precautions via Wi-Fi or via an in-house or disconnected network jack.

Such carelessness in the handling of personal data and, in particular, patient data is worrying.

In this case, it is also probable that no safety audit was carried out. In an audit, an expert check carried out independently of the contracted IT service provider determines whether systems are sufficiently and securely configured. The internally commissioned IT service provider should not be commissioned regularly with an audit. This has very simple reasons that are enshrined in the General Data Protection Regulation Regulation: the in-house IT service provider is in conflict of interest between a possible threat to data protection due to a faulty or defective configuration and its own status as a contractor. NetAlive Ltd, as an independent contractor, can carry out an objective on-site audit of IT security without the risk of a conflict of interest.

NetAlive Ltd offers the safety check for doctor's offices in the form of an IT security audit from its London location throughout the United Kingdom.

Automated translation.

Add comment