Overview
- Security researcher Bianca Kastl told the 39th Chaos Communication Congress that fundamental identification and authentication weaknesses persist in Germany’s electronic patient record, despite the nationwide rollout in April.
- The team that exposed flaws in 2024 reports they again obtained unauthorized access after launch, in at least one case without a physical health card, by exploiting the same weak identity processes.
- A central weakness lies in the long‑standing VSDM service that can yield false proofs of card presence; officials plan to begin an overhaul in 2026, while physician use has been mandatory since October 2025.
- Governance and transparency gaps deepened concerns, with a parliamentary answer confirming the Health Ministry lacks insight into operator–insurer contracts and key architecture and privacy documents not publicly available as oversight powers were reduced in 2023.
- Operational lapses and instability compound risk—including reported D‑Trust misassignments and a 96% infrastructure availability target equating to over two weeks of downtime—prompting renewed CCC calls for independent security assessments and open development, alongside warnings that the EUDI‑Wallet slated for January 2, 2027 could repeat the same mistakes.