Cyber Incident Victim: Aok

On or around May 31, 2023, multiple regional AOK health insurance providers in Germany were impacted by a security vulnerability in a third-party software application used for data transfer. The affected organizations included AOK Baden-Württemberg, AOK Bayern, AOK Bremen/Bremerhaven, AOK Hessen, AOK Niedersachsen, AOK Rheinland-Pfalz/Saarland, AOK Sachsen-Anhalt, and AOK PLUS, as well as the AOK-Bundesverband, the national association. The incident was not isolated to the AOK system but was part of a broader global event affecting numerous companies both within Germany and abroad, with a significant portion of the attacks reported to have occurred in the United States.

The vulnerability existed within the application "MOVEit Transfer," which the AOKs utilized for exchanging data with external partners. These partners included various firms, healthcare providers (Leistungserbringer), and the Federal Employment Agency (Bundesagentur für Arbeit). The security flaw enabled unauthorized access to this application. Upon discovery of the vulnerability, the AOKs immediately initiated their predefined procedures for securing data. A primary containment action involved severing all external connections that relied on the compromised MOVEit Transfer system. This decisive action was taken as a precautionary security measure to prevent any further potential unauthorized access.

This disconnection of the data exchange system resulted in immediate and significant operational impacts. The incident caused restrictions and interruptions in the data exchange between the affected AOKs and their external partners. The normal flow of data necessary for business operations with firms and healthcare providers was disrupted. The AOKs began working intensively to restore their systems and re-establish secure data exchange channels, though the process of full restoration was ongoing at the time of the public announcement.

Concurrently, an investigation was launched to determine the full scope of the incident. A critical part of this investigation was to establish whether the security vulnerability and the subsequent unauthorized access had allowed attackers to view or exfiltrate the sensitive social data of the AOKs' insured members. This review was explicitly noted as not yet being complete as of May 31, 2023. The AOK-Gemeinschaft committed to informing the public promptly as soon as new findings became available from this ongoing forensic examination.

In accordance with regulatory protocols for protecting critical infrastructure, the AOKs reported the incident to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). This reporting was done under the KRITIS procedure, which governs the protection of critical infrastructure sectors within Germany. The incident involved a widely used commercial file transfer solution, indicating the compromise was not due to a failure specific to the AOKs' internal security controls but rather a vulnerability in a product used by a vast array of organizations internationally. The response was focused on securing systems, assessing potential data compromise, and working towards restoring normal operations with external partners while the broader software vendor addressed the underlying software flaw.