Database with health data of 73 million statutorily insured individuals must not become a data leak
The data of 73 million people with statutory health insurance for research purposes is at risk: We are taking legal action to protect against misuse.
By October 1, 2022, the statutory health insurers will feed extensive health data into a data collection for research purposes. The basis for this is the "Digital Health Care Act" (DVG), which came into force in 2019. The data includes, among other things, medical diagnoses, data on hospital stays, operations and medications of their insured. The information will be gradually added to and stored for up to 30 years. This affects 73 million people with statutory health insurance, or almost 90% of all people in Germany.
In principle, it makes sense to make health data available to certain government agencies and the scientific community. The health data of the statutory health insurers is a valuable resource that should not go unused in the public interest. If the data is made available to research, public health care can also be better evaluated and developed. The DVG also aims to promote innovative technologies as part of the digitization of healthcare.
PROTECTION PROVIDED SO FAR IS INADEQUATE
So far, data is only to be pseudonymized during fully automated transfer. This means that the name, birthday and month of the insured person are removed. However, an expert report by cryptography professor Dominique Schröder commissioned by GFF shows that such pseudonymization does not protect people from being re-identified. This poses a significant risk of misuse, especially since there is no obligation to use modern encryption technology to secure the data.
The legal regulation of the health database must be measured against both the European Union's General Data Protection Regulation (GDPR) and the German Basic Law. The lack of a right to object violates the fundamental right to informational self-determination and Article 21 of the GDPR.
Above all, there must be a right of objection for particularly vulnerable people such as those with a rare or stigmatizing disease. It must not be possible for bodies such as medical associations, universities and the highest federal authorities to gain access to this intimate and sensitive data, even against the declared will of the people concerned. People who are particularly in need of protection must fear personal disadvantages such as loss of reputation, exclusion or financial losses in the event of data misuse or data leaks. They therefore have a particularly strong interest in the confidentiality of their data.
The right to informational self-determination also gives rise to the goovernment's duty to protect data from misuse as well as possible and with the best technology. Important research for the common good must be made possible in such a way that no fundamental rights are violated in the process.
HIGH STANDARDS OF PROTECTION AND A RIGHT TO OBJECT
The GFF wants to use emergency motions and lawsuits to have the courts establish that high IT security standards must apply to the health database. This concerns the merging of data records prior to pseudonymization, the central storage of pseudonymized data records, and the processing of data by authorized users. In addition, a right of objection should be recognized and established, at least for those in particular need of protection.
The first plaintiff supported by GFF, Constanze Kurz, spokeswoman for the Chaos Computer Club and a computer scientist, fears that the security flaws could lead to a dangerous data leak. The second plaintiff has a rare disease and is worried about being easily re-identified despite pseudonymizing his data and being discriminated against, for example when looking for a job. The plaintiff and the applicant are represented in court by GFF cooperation lawyer Prof. Matthias Bäcker (University of Mainz).
The action brought by the plaintiff with a rare disease is pending before the Frankfurt Social Court as summary proceedings (case number: S 220 SF 12-22 DS ER) and as main proceedings (case number: S 220 SF 13-22 DS). The summary proceedings were successful in the second instance before the LSG Darmstadt, the main proceedings are still pending.
RESEARCH DATA CENTER HAS NO SECURITY CONCEPT - CASE SUSPENDED FOR THE TIME BEING
The second hearing in Constanze Kurz's case before the Berlin Social Court (summary proceedings case number S 25 KR 932-22 ER) took place on February 15, 2023 and was successful. The hearing was shorter than expected, as the Research Data Center announced that it was still not working as planned, that there was still no security concept and that the service provider required to operate the database needed to be replaced. All of this will take at least until the second half of 2023. This means that, for the foreseeable future, a crucial component for completing the facts of the case is missing. The court therefore suggested that we suspend the proceedings until the Research Data Center knew exactly how it would actually work. The parties involved agreed to this. The main proceedings (case number S 25 KR 1222-22 DS) are currently still pending.