Enlarge image
Health cards from various health insurance companies
Photo: Jens Kalaene/ dpa
Lars D., who actually has a different name, suffers from hemophilia, the »hemophilia«.
His blood clots more slowly than that of healthy people.
It is a rare disease that only about two out of every 10,000 men in Germany have, and there is currently no cure.
The fact that D. is one of those affected is nobody's business, he thinks.
He fears that this could result in disadvantages for him, for example through discrimination when looking for a job.
That is why D. now wants to take legal action against the Digital Supply Act (DVG) passed by the then grand coalition in 2019, together with Constanze Kurz from the Chaos Computer Club (CCC) and the Society for Freedom Rights (GFF).
Because the law stipulates that by October of this year, the statutory health insurance companies will have to feed extensive health data of all 73 million insured persons into a database for research purposes.
There is no possibility of objection.
Only privately insured persons are not affected.
The fact that the data has to be pseudonymised is not enough for the plaintiffs.
D. fears that someone like him will still be identifiable.
Constanze Kurz believes that the database could be hacked.
"It's not about preventing research," says D. in a phone call to SPIEGEL.
The aim of the lawsuits is rather judgments that lead to the data being better protected against misuse through a higher level of encryption and data-saving collection, and that all insured persons can object to the collection.
Because the DVG states that the "specific re-identification risk" should be "minimised" by a "key-dependent procedure for pseudonymization that corresponds to the current state of the art and science".
However, according to a report by the cryptography professor Dominique Schröder from the Friedrich-Alexander University in Nuremberg-Erlangen, the planned system is far from optimal.
On the contrary, "fundamental pillars of IT security" are "ignored," writes Schröder.
That's the plan so far
The construction is therefore planned as follows: The health insurance companies should first send data on the person, the insurance company and the medical history "for each insured person in connection with an insured person's pseudonym, which allows clear identification across health insurance companies (...)" to a central data collection point at the Central Association of Health Insurance Funds.
There the data should be checked for “completeness, plausibility and consistency”.
The data collection agency transmits the data to the federal research data center, which is ultimately supposed to work with it, whereby the insured person's pseudonym is removed.
Each record sent to the research data center is instead given a work number to disguise the connection between the patient and their treatment.
These work numbers and in turn the insured person's pseudonyms are sent together, but without health data, to a third party, the so-called trust center.
It generates so-called one-way pseudonyms from the insured person's pseudonyms and sends these to the research data center together with the work numbers.
This step is considered necessary because there can be several work numbers for each patient, depending on the number of treatments.
So that the research center can assign the work numbers to the same person without finding out who this person is, they are given the one-way pseudonyms.
»Deanonymize data – it works really well«
Schröder's criticism begins with the first step, the central data collection at the umbrella organization.
From his point of view, the creation of this "single point of failure" is superfluous and dangerous, the health insurance companies could also clean up their respective data themselves.
From an IT security perspective, decentralized data storage is safer and corresponds to the actual state of the art and science.
In addition, Schröder comes to the conclusion "that the research center cannot assess the specific re-identification risk".
There are examples of how something like this is possible if you use other publicly accessible sources in addition to the pseudonymised data set, inside and outside of medicine.
Schröder had already argued in a hearing of the Health Committee on October 16, 2019: »There is always talk of pseudonymised and anonymous data, and everyone is of the opinion that if it says anonymously, that’s the case.
But there are many examples from cryptography and IT security where we were able to show how we can deanonymize the data, it really works wonderfully.« That did not prevent the passing of the law.
From the beginning of May it will become clear whether he will be more successful with his written report.
Then Lars D. and Constanze Kurz want to take action before the social courts in Frankfurt and Berlin with actions for an injunction or urgent applications against their respective health insurance companies and against the transfer of data.
