Federal Data Protection Commissioner Seeks Restoration of Veto Rights Following Unauthorized ePA Objection

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is currently investigating a recent incident involving an unauthorized objection to the electronic patient record (ePA) at the Barmer health insurance company. In light of this event, the BfDI has called for the reinstatement of veto rights previously held by both the BfDI and the Federal Office for Information Security (BSI).

Last week, it was revealed that an unauthorized individual managed to submit an objection regarding the ePA of another person with Barmer. This breach has prompted BfDI, led by Louisa Specht-Riemenschneider, to examine the circumstances surrounding this occurrence. The BfDI has indicated that recent legislative changes, which removed the veto rights of the BSI and the BfDI, may have contributed to such incidents.

The BfDI has emphasized the necessity of involving its office early in the data processing evaluations related to the ePA. A spokesperson stated that it would be beneficial if legislation were to revert to requiring BfDI and BSI to agree on specific ePA guidelines. Although these agencies were consulted during the planning phases of the ePA, they are now only required to be informed and cannot exercise veto power in case of concerns.

In late April, the BfDI clarified that it does not serve as a licensing authority and that scrutiny of the ePA must occur during its operational phase. This position was underscored in relation to previous vulnerabilities identified within the ePA system. The loss of veto rights was a consequence of the Digital Healthcare Act, which aimed to expedite the digital transformation of the healthcare sector. This change was implemented following multiple instances where the former BfDI, Ulrich Keber, utilized his veto authority until identified weaknesses were addressed.

According to regulations, Barmer should have verified the identity and authorization of individuals submitting objections. The BfDI spokesperson noted that ensuring the identity of individuals is critical for valid data processing actions, such as the deletion of an ePA. The responsibility for confirming identity lies with the respective health insurance provider.

Barmer has stated that submitting an objection to another person's ePA without their consent is not feasible. Inquiries revealed that an unauthorized objection was supposedly initiated with the assistance of a legitimate account holder. Additionally, since the nationwide rollout on April 29, 2025, objections have been subject to a 28-day waiting period, unless identity verification is completed beforehand. Patients can confirm their identity at Barmer offices or through their health ID in the eCare app.

A source familiar with the situation indicated that in the third week of April, an unauthorized objection was lodged for an individual's electronic patient record. This was reportedly accomplished by simply entering the name of the insured person on a form, without needing to include their insurance number. However, this practice has since changed, and the insurance number is now required.

Security experts from Fraunhofer SIT had previously raised alarms about numerous potential attack vectors for unauthorized objections. Critics of the ePA have noted the absence of minimum security requirements and assessments for both the objection filing process and its cancellation. It was indicated that objections should lead to the immediate deletion of patient records, with warnings that malicious actors could exploit such processes to delete patient records unlawfully.

In response to these concerns, the Gematik has stated that the objection procedure is not covered by the specification. They have recommended defining a process for health insurance providers to follow when handling objections, ensuring minimum security standards and establishing a unified process.

Persistent criticism of the ePA has arisen regarding data protection and IT security issues. Recently, it was reported that enhanced security measures for accessing data within the ePA were insufficient, although improvements have since been made. There are also ongoing concerns about the changes to permission management, which have eliminated the option for granting access to specific files for certain institutions.