Patients' data used when German services rush to emergencies lay unprotected in the internet until recently, says the magazine c't. Its disclosure coincides with a lengthy German debate about electronic health cards.
The Hanover-based computer magazine c't reported Friday that "NaProt," a special app provided by a Berlin firm and widely used by German emergency services had - until a recent fix - contained a "grave" data vulnerability.
If exploited, hackers - simply using internet browsers - could have accessed up to 39 servers to obtain patients' names, addresses, birth dates, health fund details and even clinics to which they had been rushed, claimed c't.
Read more: Healthcare in Germany
Since late January, the Berlin provider, Pulsation IT, had "very cooperatively" issued a software update that had hidden previously readable activation codes and servers addresses, c't reassured its readers.
Paramedics caught in data controversy
Ambulance services, emergency response physicians and patient transfer operators among the special app's users include Germany's Red Cross, St Johns and the Maltese Order as well as Germany's Federal Police.
Paramedics arriving at emergencies use the app on their electronic tablets as part of life-saving infrastructure to liaise with clinics and - using portable card-reading devices - also access memory chips on health cards carried by most of Germany's residents in their wallets.
"After completion of each deployment the operational protocol is transferred to the (computer) servers, remains stored there, and via a Web portal is legible for an authorized circle of persons," c't reported.
'Real' data found during checks
Its authors said while testing a demonstration version of "NaProt" they gained access to real server addresses that handled "real operational data."
The servers delivered "real information on emergency vehicles, staff and deployments, including locations and calls to emergencies," said c't.
"It was possible to call up detailed patient information like the name, address, birth date, [statutory) health fund and partly the destination clinic," it added.
Often such data had been transferred without encryption, it claimed.
Berlin provider pulsation IT says its app is used in 900 emergency vehicles nationwide during 2,000 deployments each day to provide "simple, secure and comprehensive electronic data collection." DW contacted the company for a statement, but had not received a response at the time of publication.
Privacy versus bureaucracy
Since the nineties, privacy advocates have battled bids by health authorities to store far more in the chips of Elektronische Gesundheitskarten [eGK, electronic health cards], such as prescriptions and even individual medical histories to enable checks, for example in pharmacies.
At its 2013 assembly, the German Medical Association rejected seven years of eGK development, saying the security of centralized medical data was still not guaranteed and that project funding had been wasted.
Recounting the need for accurate data, German public broadcaster ARD last Tuesday revealed how a patient, Rudi W., on 15 partly contraindicated medications nearly lost his life on "several occasions if care had not been taken."
Dr. Ilka Enger of the Bavarian BFAV specialist doctors' federation told ARD's television program Kontrovers that patients must, however, retain control over their "state-prescribed" electronic health cards.
"It would see it on the whole negatively. The issue is that the patient should retain sovereignty over his data," said Dr. Enger.