Overview

• The Chaos Computer Club (CCC) uncovered a security flaw in the electronic patient record (ePA) system involving electronic replacement certificates for health cards.
• The vulnerability allowed unauthorized access to patient data but was limited to certain health insurers’ clients, who have since been identified and given additional protections.
• gematik confirmed the issue and implemented an immediate fix, emphasizing that continuous security monitoring remains crucial.
• This incident follows earlier CCC-reported vulnerabilities in late 2024, which prompted additional security measures before the system’s national rollout on April 29, 2025.
• With around 70 million insured individuals automatically enrolled in the ePA since January 2025, the system’s success now hinges on addressing privacy concerns and maintaining public trust.