Heise.de reports:
A massive data leak potentially affects hundreds of thousands of patients at ZAR rehab clinics across Germany. Among other things, highly sensitive medical reports were accessible. The affected rehab centers are under the umbrella of Nanz medico, which claims to be the largest provider of outpatient rehab services in Germany. This includes a total of 39 rehab clinics.
A savvy user of their ZAR PAT app reportedly noticed that it was communicating with the internet in unencrypted form and retrieving his schedules from the server in plain text.
The extent and amount of sensitive information is concerning. Heise reports:
This included not only personal data such as first name, surname and date of birth, but also information about courses attended in the rehabilitation facilities and detailed medical reports that were recorded as part of the therapy, for example in the treatment of psychosomatic illnesses. These contain sensitive information about the patient’s life circumstances and state of health, such as in this report: “Looking back on the individual psychotherapeutic sessions, looking back on her childhood was rather upsetting for her, she had successfully repressed many things that had now come up again”.