A significant data leak at ZAR rehab clinics in Germany has exposed sensitive patient information. The leak involved the “ZAR PAT” app used for communication between patients and the rehab centers, which included personal details and medical records. The app’s lack of transport encryption allowed the data to be transmitted in plain text, making it accessible to anyone with basic technical knowledge. Sensitive patient data such as names, dates of birth, health conditions, and psychotherapy details were among the exposed information.
The breach was reported by an informant who identified the unencrypted communication and immediately contacted the German Federal Office for Information Security (BSI) and the clinic.
The personal data of over 80,000 patients was potentially compromised, with some data dating back several years. This breach has raised concerns about how long the data remained vulnerable and whether it was accessed by malicious actors during the time it was exposed.
In response to the breach, Nanz medico, the parent company of ZAR rehab clinics, took immediate action by securing the server and applying transport encryption to prevent further leaks. However, the company faced scrutiny for not promptly notifying relevant authorities or affected individuals. Despite these security improvements, there remains uncertainty over the extent of the breach and whether any personal data has been misused.
Under the General Data Protection Regulation (GDPR), such a breach is required to be reported to supervisory authorities within 72 hours if it poses a risk to individuals’ rights and freedoms. Nanz medico has yet to fully disclose the number of affected patients or the specific details of the data exposed, and the company has not provided a clear statement about informing data protection authorities. The incident highlights the need for robust security measures in healthcare-related apps and systems to protect sensitive patient data.
Reference: