German health insurers’ IT services provider Bitmarck Technik GmbH has shut down internal and customer-facing applications after suffering a cyber attack.
The company said it took customer and internal systems offline in a controlled manner after its early warning systems detected an attack.
Bitmarck hired external security experts to process the incident and notified relevant law enforcement and regulatory authorities.
Although it would immediately restore some limited services, Bitmarck warned customers to expect long delays because it prioritized security over speed, given the nature of the attack.
Bitmarck warns of extended disruption of IT services
Although Bitmarck was gradually providing IT services for statutory health insurance companies and some customers were “hardly affected,” the company anticipated “considerable restrictions in day-to-day business for the foreseeable future.”
“This is due to the fact that in some cases entire BITMARCK data centers were taken offline, individual services may have to be shut down again, and the restarting of individual services is associated with renewed temporary service failures,” the company said.
Although Bitmarck promised to restore systems as quickly as possible, the IT services company did not provide a timeline. However, some services, such as the digital processing of electronic certificates and access to the electronic patient file (ePA), would be restored almost immediately. Others, such as KIM digital services, the monthly transmission of statistical data, and insurance business central processes, would return much later.
Bitmarck said it would prioritize security and critical operations during the restoration process. The company also planned to set up temporary infrastructure to provide health insurers with essential IT services such as payment processing.
Bitmarck promised to provide affected health insurers with at least one interim solution to perform essential functions depending on the customer’s needs. At least 40 health insurers or roughly half of those affected, benefited from this arrangement.
Describing the attack as professionally planned and executed, the IT services company said it must conduct extensive analysis and prioritize security over speed when restoring systems.
“In order to fully restore normal operation, emergency solutions must also be switched back to normal operation, which can lead to short-term service failures,” the company said.
Health insurers affected by the Bitmarck cyber-attack likely included high-profile companies such as Siemens-Betriebskrankenkasse (SBK), which has notified customers about system outages.
“In order to get a grip on the situation, not only internal technicians but also IT specialists and forensic experts from the Landeskriminalamt (LKA) are involved in dealing with the incident,” said Chris Vaughan, Vice President of Technical Account Management at Tanium.
Did Bitmarck’s cyber attack leak health insurers’ or patient data?
According to its “current state of knowledge,” Bitmarck said the cyber attack did not leak data from its customers or insured patients.
“The patient data stored in the EHR was not and is not endangered by the attack at any time,” adding that the information was subject to special protection under Gematik (German national agency for healthcare digitization) regulations.
“The exact extent of the damage will only become clear in the next few days,” Vaughan noted. “A GDPR fine in the case of data loss, for example, is not unlikely and can amount to up to 20 million euros or 4 percent of the company’s annual turnover from the previous year for Bitmarck.”
Meanwhile, the company and its incident response partners believe their security measures thwarted the attack and averted “far greater damage.”
However, Bitmarck withheld the identity of the threat actor who compromised its network and whether the incident involved ransomware.
“To prevent similar attacks, organizations must study the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors,” said Stephan Chenette, Co-Founder and CTO at AttackIQ.
According to Chenette, the healthcare industry was “one of largest targets for cyber-criminals due to protected health information (PHI) being extremely profitable on dark web marketplaces.”
The Bitmarck cyber attack is the second to affect health insurers within a month. On April 17, 2023, the Canton, Massachusetts-based health insurer Point32 Health detected a ransomware attack forcing the company to take systems offline to contain the spread.
In January 2023, Bitmarck suffered another cyber incident that leaked the personal information of approximately 300,000 patients from various health insurers.
“The fact that an intrusion has happened so soon after another major incident is a concern and questions must be asked about whether the necessary level of cyber hygiene is being maintained,” Vaughan cautioned.
