Jump to content
Gesundheitsdaten Foemibanner Rot Photo by Ryoji Iwata on Unsplash
Freedom in the digital age
Art. 1, 2

Database with health data of 73 million statutorily insured individuals must not become a data leak

The data of 73 million people with statutory health insurance for research purposes is at risk: We are taking legal action to protect against misuse.

Information on our health is some of the most sensitive data stored about us. It therefore needs to be particularly well protected. The new "Digital Healthcare Act" (DVG) now threatens to weaken this protection. By October 1, 2022, the data of 73 million people with statutory health insurance will be compiled fully automatically in a central database for research purposes and then continuously added to. There is no right to object to the data being passed on. The use of health data for research purposes in the public interest is fundamentally sensible. However, the standards of protection provided by law for the new health database are not sufficient. Together with computer scientist Constanze Kurz and another plaintiff with a rare disease, the GFF is filing urgent applications against the collection with the social courts in Berlin and Frankfurt. The aim is to ensure that the insured persons' data is protected in the best possible way in order to prevent misuse. It must also be possible to object to data processing.
Bijan Moini

Bijan Moini

Lawyer and case coordinator

„Nobody wants to prevent health research. But the law does not provide for sufficient protection standards or modern encryption methods - that is negligent and dangerous. Once health data falls into the wrong hands, this cannot be undone.“

By October 1, 2022, the statutory health insurers will feed extensive health data into a data collection for research purposes. The basis for this is the "Digital Health Care Act" (DVG), which came into force in 2019. The data includes, among other things, medical diagnoses, data on hospital stays, operations and medications of their insured. The information will be gradually added to and stored for up to 30 years. This affects 73 million people with statutory health insurance, or almost 90% of all people in Germany.

In principle, it makes sense to make health data available to certain government agencies and the scientific community. The health data of the statutory health insurers is a valuable resource that should not go unused in the public interest. If the data is made available to research, public health care can also be better evaluated and developed. The DVG also aims to promote innovative technologies as part of the digitization of healthcare.


So far, data is only to be pseudonymized during fully automated transfer. This means that the name, birthday and month of the insured person are removed. However, an expert report by cryptography professor Dominique Schröder commissioned by GFF shows that such pseudonymization does not protect people from being re-identified. This poses a significant risk of misuse, especially since there is no obligation to use modern encryption technology to secure the data.

The legal regulation of the health database must be measured against both the European Union's General Data Protection Regulation (GDPR) and the German Basic Law. The lack of a right to object violates the fundamental right to informational self-determination and Article 21 of the GDPR.

Above all, there must be a right of objection for particularly vulnerable people such as those with a rare or stigmatizing disease. It must not be possible for bodies such as medical associations, universities and the highest federal authorities to gain access to this intimate and sensitive data, even against the declared will of the people concerned. People who are particularly in need of protection must fear personal disadvantages such as loss of reputation, exclusion or financial losses in the event of data misuse or data leaks. They therefore have a particularly strong interest in the confidentiality of their data.

The right to informational self-determination also gives rise to the goovernment's duty to protect data from misuse as well as possible and with the best technology. Important research for the common good must be made possible in such a way that no fundamental rights are violated in the process.


The GFF wants to use emergency motions and lawsuits to have the courts establish that high IT security standards must apply to the health database. This concerns the merging of data records prior to pseudonymization, the central storage of pseudonymized data records, and the processing of data by authorized users. In addition, a right of objection should be recognized and established, at least for those in particular need of protection.

The first plaintiff supported by GFF, Constanze Kurz, spokeswoman for the Chaos Computer Club and a computer scientist, fears that the security flaws could lead to a dangerous data leak. The second plaintiff has a rare disease and is worried about being easily re-identified despite pseudonymizing his data and being discriminated against, for example when looking for a job. The plaintiff and the applicant are represented in court by GFF cooperation lawyer Prof. Matthias Bäcker (University of Mainz).

The action brought by the plaintiff with a rare disease is pending before the Frankfurt Social Court as summary proceedings (case number: S 220 SF 12-22 DS ER) and as main proceedings (case number: S 220 SF 13-22 DS). The summary proceedings were successful in the second instance before the LSG Darmstadt, the main proceedings are still pending.


The second hearing in Constanze Kurz's case before the Berlin Social Court (summary proceedings case number S 25 KR 932-22 ER) took place on February 15, 2023 and was successful. The hearing was shorter than expected, as the Research Data Center announced that it was still not working as planned, that there was still no security concept and that the service provider required to operate the database needed to be replaced. All of this will take at least until the second half of 2023. This means that, for the foreseeable future, a crucial component for completing the facts of the case is missing. The court therefore suggested that we suspend the proceedings until the Research Data Center knew exactly how it would actually work. The parties involved agreed to this. The main proceedings (case number S 25 KR 1222-22 DS) are currently still pending.

Banner Foe Mis 37 Mann im Rollstuhl


Freedom needs strong friends

Grundrechte verteidigen.
Fördermitglied werden!