Cyber Incident Victim: Bitmarck

On or around March 28, 2023, the IT service provider Bitmarck, which provides services for numerous statutory health insurance companies in Germany, became the target of a cyber attack. The incident was actively being defended against by Bitmarck as of Tuesday of that week, which based on the article's publication date corresponds to March 28th. The company's early warning systems detected and reported attacks on its internal systems. In response to the active threat, Bitmarck initiated a defensive measure by deliberately taking individual customer and internal systems offline. This action was taken to thwart the attack and prevent any potential negative impacts. A company spokesman confirmed these initial steps, stating that no data exfiltration had been detected at that time and that the shutdown was being carried out in accordance with the company's pre-established and agreed-upon security policies.

The immediate consequence of these defensive actions was the onset of technical disruptions in the daily operations of some of Bitmarck's client health insurance funds. The Bitmarck website itself also experienced temporary inaccessibility as a direct result of these measures, though this particular issue was reportedly resolved quickly. The company emphasized that it was in close communication with its affected customers and was coordinating the necessary steps to manage the situation, with a focus on keeping the disruptions to a minimum. All relevant authorities were proactively and promptly informed of the incident, and Bitmarck stated it was fully cooperating with these agencies.

The situation escalated on the following night, believed to be the night of March 28th to 29th. Bitmarck found it necessary to intensify its defensive measures. As part of this heightened response, the company preemptively disconnected defined clusters of its IT infrastructure from the network. This was described as a preventative action aimed at warding off potential damage to both Bitmarck and its customers. However, this more extensive disconnection resulted in significantly greater disruptions to the availability of services for the statutory health insurance funds that rely on Bitmarck's infrastructure.

The impact of these service disruptions was wide-ranging and affected several critical healthcare digital services. The telematics infrastructure (TI), a central component of Germany's digital healthcare network, reported disruptions. This specifically impacted the use of the electronic patient record (ePA) for customers of several major health insurers, including Allianz, hkk, DAK, KKH, Mobil BKK, svlfg, and various BKK and IKK funds. The delivery of electronic work incapacity certificates (eAU) and electronic doctor's letters was also affected by the attack. Furthermore, the system for verifying patient co-payment exemptions was temporarily disrupted for Bitmarck's client funds starting from April 25th, a date mentioned in the context of ongoing or separate disruption timelines.

A publicly available listing from the site scanacs detailed the specific health insurance funds experiencing disruptions, providing a scope of the incident's reach. The affected clients included Audi BKK, BAHN-BKK, BKK Miele, BKK Pfalz, Bosch BKK, hkk, pronova BKK, Siemens BKK, IKK - die Innovationskasse, mhplus, BMW BKK, BKK VBU, vivida bkk, and IKK Classic. This list underscores the broad dependency of a significant segment of Germany's statutory health insurance system on Bitmarck's IT services and the corresponding scale of the incident's impact on citizens' access to digital health services.

This cyber attack on Bitmarck in late March 2023 was not an isolated event but rather a recurrence of a prior security incident. The article notes that cyber criminals had successfully breached Bitmarck's systems just a few months earlier, in January 2023. In that previous incident, sensitive data belonging to approximately 300,000 online customers of various health insurance funds was compromised and subsequently appeared publicly on the internet. Following that January breach, Bitmarck had stated its intention to investigate with the highest priority how the data, described as somewhat older, came to be exposed within the collaboration tool Jira. The recurrence of a significant attack so soon after the first major data breach highlighted ongoing security challenges for the provider. The company's response in March involved a strategy of aggressive network segmentation and system isolation to contain the threat, prioritizing the integrity of systems and the prevention of further data loss over uninterrupted service availability. The public communications from Bitmarck focused on confirming the attack, detailing the defensive actions taken, assuring that no data exfiltration had been detected in this instance, and outlining the extensive cooperation with authorities. The primary consequences were operational and technical disruptions that cascaded from the service provider down to the health insurance funds and, ultimately, to the end-users—patients and healthcare providers—who rely on these digital platforms for critical healthcare management functions.