Cyber Incident Victim: AOK

On or around May 31, 2023, multiple regional health insurance providers (AOKs) within Germany were impacted by a security vulnerability discovered in a third-party software application used for data transfer. The software identified was "MOVEit Transfer," a tool utilized by the AOKs for exchanging data with external partners. The affected AOKs included Baden-Württemberg, Bayern, Bremen/Bremerhaven, Hessen, Niedersachsen, Rheinland-Pfalz/Saarland, Sachsen-Anhalt, and PLUS, as well as the AOK-Bundesverband, the national association. The vulnerability within the MOVEit Transfer application enabled unauthorized access to the system. This security flaw was not an isolated incident targeting the AOKs specifically; initial media reports indicated that numerous companies both within Germany and abroad were also affected by the same vulnerability in the MOVEit software, with a large portion of the attacks reported to have taken place in the United States.

Upon discovery of the security vulnerability, immediate action was taken to secure the data and systems. The pre-defined measures for such an incident were initiated without delay. A critical containment step involved severing all external connections that relied on the compromised MOVEit Transfer system. This decisive action was taken as a security precaution to prevent any further potential unauthorized access. Consequently, this led to significant disruptions in the normal operations of the affected AOKs, specifically creating limitations and interruptions in the data exchange processes between the AOKs and their external partners. These partners included companies, healthcare providers (Leistungserbringer), and the Federal Employment Agency (Bundesagentur für Arbeit).

The full scope and impact of the incident were not immediately known. An investigation was launched to determine whether the security vulnerability had been exploited to access the sensitive social data of the insurers' members. As of the date of the initial report, this examination was ongoing and had not yet been concluded. The AOK community committed to informing all relevant parties in a timely manner as soon as new findings became available. In accordance with procedures for protecting critical infrastructure, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) was formally notified of the incident through the KRITIS process, which governs critical infrastructure sectors.

Parallel to the investigation, intensive efforts were undertaken to restore the affected systems and re-establish secure data exchange capabilities. The primary focus was on repairing the compromised infrastructure and returning to normal operational status, though the process was complicated by the need to ensure the vulnerability was addressed before reconnecting to external networks. The incident highlighted the extensive reliance on the MOVEit Transfer application for critical business functions and the widespread operational impact that can result from a vulnerability in a single, widely-used third-party software product. The disruption to data exchange represented a significant consequence of the containment measures, affecting the flow of information essential for daily operations with key external entities.