By October 1st, as part of the data transparency procedure, the health insurance companies had to provide health data of 73 million people with statutory health insurance that are particularly worthy of protection for research purposes. The billing data of the insured should be sent to the central association of health insurance companies (GKV-Spitzenverband) between August 1 and October 1, 2022. In the meantime, the data records of all insured persons have arrived, as the National Association of Statutory Health Insurance Funds informed heise online on request.
The data is to be forwarded to the Research Data Center (FDZ) set up at the Federal Institute for Drugs and Medical Devices by December 1, 2022. The data collection is then to be continuously expanded and stored for up to 30 years. There is no right of objection. The Society for Freedom Rights (GFF) criticizes this and wants to continue to take action against the lack of data protection and the lack of an opportunity to object. She sees this as a violation of the right to informational self-determination and Article 21 of the GDPR.
In order to initially prevent the data from being passed on in two cases, the GFF, together with Constanze Kurz from the Chaos Computer Club (CCC) and a person who suffers from the rare disease hemophilia, initiated two urgent proceedings at the social courts in Berlin and Frankfurt and they decided for themselves.
Research data makes sense, data pool is not sufficient
In general, the GFF considers the use of health data for research purposes to be useful, but the “protection standards previously provided for by law” for the health database would not be sufficient. The data would only be pseudonymised, with details such as name and date of birth being removed. However, a report by the cryptography professor Dominique Schröder showed that it is still possible to draw conclusions about individual persons. This means that misuse of the data cannot be ruled out, especially since there is currently no obligation to use modern encryption techniques.
Central data collection as a single point of failure
Above all, Schröder sees the central data collection at the National Association of Statutory Health Insurance Funds and in a research data center as a possible single point of failure and not necessary. Decentralized data storage that also corresponds to the state of the art is better. Gematik is also currently working on a concept in which data is not stored centrally. As methods for handling sensitive data, Schröder cites the concept of “differential privacy”, which is also used by Google and Apple. He also proposes the use of modern cryptographic methods such as the use of homomorphic encryption or secure multi-party calculation.
With further lawsuits, the GFF wants to obtain a right of objection and “that the data of the insured be protected as best as possible in order to prevent misuse.” High IT security standards should apply to the “merging of the data sets before pseudonymization, the central storage of the pseudonymized data sets and the processing of the data by the authorized users”.
Poorly protected people with rare diseases
“Anyone suffering from a rare disease is particularly easy to identify in apparently anonymous databases. This is particularly dangerous if the disease has a stigmatizing effect or knowledge of it even has the potential for blackmail,” says Bijan Moini, lawyer and procedure coordinator at GFF. Nobody wants to prevent health research, “but the law provides neither adequate protection standards nor modern encryption methods – that is negligent and dangerous. If health data falls into the wrong hands, it can no longer be undone.”
The Federal Ministry of Health declined to comment on the “ongoing process” in relation to heise online. The data collection without the possibility of objection was initiated by the former Health Minister Jens Spahn with the Digital Supply Act (DVG), which came into force in 2019.
To home page