The Zerforschung collective has found security gaps in the digital health application (DiGA) edupression. Zerforschung informed the manufacturer Sofy GmbH on May 1st about the security gap “at interfaces” of Edupression. According to the company, the gap was then closed within a few hours. The Austrian data protection authority is informed as reported by the Handelsblatt.
A team led by IT security expert Lilith Wittmann gained access to names, customer numbers, e-mail addresses and health data – such as information on medication and mood.
According to the Handelsblatt, the Federal Office for Drugs and Medical Devices (BfArM), which is responsible for the approval of the prescription-only DiGA – the “apps on prescription” – is examining “further requirements for the implementation of the penetration tests”. The app, which has been included in the DiGA directory until August 25, 2023, currently has over 2,000 testers. A permanent admission can be made by the health insurance companies after 24 months, whereby the manufacturer has to prove the effectiveness of the app.
Not the first DiGA leak
As early as June 2022, Zerforschung had found security gaps in the depression DiGA Novego and the digital diary for cancer patients Cankado. The latter was removed from the DiGA directory on April 21, 2023 because, according to the BfArM, it could not demonstrate any positive supply effect.
In September 2022, the BfArM published new test criteria for DiGA and digital care applications (DiPA). Accordingly, a data protection certificate from the BSI is also required.
(mack)
