Overview
- At the 39th Chaos Communication Congress, security researcher Bianca Kastl said the ePA launched in April 2025 without adequate protections and still falls short of state‑of‑the‑art security.
- Repeated demonstrations by the CCC showed that weaknesses in identification and authentication, especially around the VSDM, can enable unauthorized access under certain conditions even after recent fixes.
- Measures introduced since rollout such as rate limits, extra check digits and later restrictions were described as stopgaps that do not address the underlying design flaws.
- Kastl highlighted governance and transparency gaps, noting the health ministry’s lack of insight into operator–insurer contracts and the partial publication or denial of key documents like architecture decisions and the DPIA.
- Operational issues persist, including outages equating to roughly two weeks of annual downtime and reported misassigned mailings of professional cards by D‑Trust, prompting calls for independent risk reviews, frank communication and an open development process.