Contents page 1 — health insurance App Vivy had potentially significant security vulnerabilities page 2 — Was the risk real or only hypothetical? On a page

little people worry so much as to your health. Perhaps similar to worried are you about the security of their personal data. Both comes together, it is for many an existential theme. Otherwise, for example, is difficult to explain, as fierce as the debate went on for years about which patient data may be saved on the Chip of the medical card, the insured.

most people are wearing nowadays much more information about yourself on their Smartphone around with them, although not necessarily as sensitive, such as about past illnesses, don’t seem to feel that many quite as serious. The Smartphone is also an obvious place for storage of personal data: It is for some of you, probably the next item that you have, and storage space is abundant. So the idea is obvious that health insurance companies offer their customers with Smartphone Apps to all sorts of services.

just six weeks Ago has been launched with the health App Vivy is the one that could use the biggest circle of people in Germany: 13.5 million people are insured with the participating statutory and private health insurance they offer. Including the DAK, a variety of Guild health insurance funds, the BertelsmannBKK, Gothaer, Barmenia and Alliance. The latter is also involved as a shareholder with 70 percent to the operator of the App, the Berlin-based Vivy GmbH.

An E-Mail in the Morning

The has on 22. September, five days after the Start of the App, in the morning at 9.45 am an email from the Switzerland-German IT-security company modzero. The contents of the letter had to be alarming: The Vivy App, available for Smartphone operating systems, Android and iOS included, according to an analysis of modzero serious weaknesses in terms of data security. 75 minutes later, around 11 a.m., languages, representatives of both companies for the first time with each other during a telephone conference.

The communication continued in the weeks since then, at 24. September, for example, there was a conversation in Berlin. Meanwhile, the App was downloadable and applicable, without the User experienced users of the ongoing safety analysis and possible vulnerabilities.

It was not an actual Hack. No one Unauthorized was recognizable penetrated from the outside into the System behind the App. Where the Insured person can store their entire electronic health records and documents, for example, to their Doctors. It was a question of whether someone can penetrate would be, if he had wanted to.

© Michael stern, Dirk Peitz

editor in the Ressort Digital, Zeit ONLINE

to the author of the page

The answer of the IT-company is this: in several Places it would have been possible. Martin Tschirsich, a modzero employee IT-Security-Analyst, had shortly after the Launch of the App in September, found “serious safety deficiencies in both the Smartphone App and in the Cloud-platform and Browser-application for Physicians” – i.e., to all possible points where hackers could put. The Vivy GmbH advertises aggressively so that patient data be protected in the App, by secure authentication methods, and encryption against unauthorized access.

On 25. October, authored by Thorsten Schroeder, managing Director of modzero, the final Version of the 35-page report, his company sent immediately to the Vivy GmbH. The list of defects, which has created modzero to Vivy App is long. So information about who had what time is shared with the doctor of health data, “unprotected, for each Person to read the Internet”. Insured had been identified “on the basis of name, photo, E-mail address, date of birth and insurance number”, also the name of the contacted Medical scientists and Doctors had been read out. Worse still: “Unauthorized persons were able to intercept over the Internet all the documents should be sent to a doctor, and decrypt.”