Cyber Incident Victim: Wiesbaden, Hesse, Germany

On or around March 28, 2023, the health insurance provider BIG direkt gesund detected an unauthorized access to its systems. In immediate response to this incident, the company severed all external connections and powered down its affected servers. The organization characterized the event as an "unberechtigten Zugriff" and did not publicly confirm it as a ransomware attack, though external indicators suggested this possibility. The attack rendered the insurer unreachable for its approximately 513,000 policyholders for several days. BIG direkt gesund engaged external IT forensic experts to assist with the investigation and officially reported the security breach to both law enforcement and the relevant supervisory authorities. A company spokesperson stated there were no initial indications that policyholder data had been exfiltrated. Recovery efforts were prioritized, with a focus on restoring the payment of benefits to members, which was successfully resumed at the beginning of the following week. Customer communication channels were also gradually reestablished, though the company warned that bottlenecks in this service might still occur.

Separately, and with no connection to the BIG direkt incident according to the insurer, the IT service provider Materna Information & Communications SE experienced a major cyberattack on its network infrastructure on March 25, 2023. The company was forced to take affected servers and services offline. Although Materna did not officially confirm the nature of the attack, information indicated it involved a ransomware compromise. The impact of this attack on a central service provider was significant and widespread. Almost immediately, self-service check-in kiosks operated by Materna at Hamburg and Berlin-Brandenburg airports experienced outages. Airport officials confirmed the systems were restored in time to avoid major disruptions to Easter travel. The attack on Materna also caused subsequent problems for Lufthansa, impacting both its online check-in platform and its check-in automats at Frankfurt Airport. The airline stated these services were interrupted immediately upon learning of the attack and that alternatives were swiftly put in place. A Lufthansa spokesperson also noted no evidence at that time suggested any customer data had been stolen or compromised in the incident.

In a third, unrelated incident, the IT service provider Bitmarck, which processes data for numerous statutory health insurers, successfully defended itself against an active cyberattack on Tuesday, March 28, 2023. A company spokesperson confirmed its early warning systems had detected attacks targeting Bitmarck's internal systems. To thwart the intrusion and prevent any negative consequences, Bitmarck proactively took a defined set of customer and internal systems offline. The company stated that no data exfiltration had been detected and that these shutdowns were executed in accordance with its established security protocols. This defensive action resulted in temporary technical disruptions to the daily operations of several health insurers that rely on Bitmarck, as well as causing a temporary outage of the Bitmarck website itself. The company maintained close communication with its affected customers and coordinated all necessary steps while striving to keep operational restrictions to a minimum. All relevant authorities were promptly informed, and Bitmarck pledged full cooperation with these agencies.

The defensive measures at Bitmarck were intensified during the night following the initial attack. As a preventative action to shield both the company and its clients from potential damage, Bitmarck disconnected defined clusters of its IT infrastructure from the network. This escalation of containment efforts resulted in more significant and widespread service impairments for the statutory health insurers it supports. The technical disruptions affected a range of critical healthcare services. The availability and functionality of Germany's Telematikinfrastruktur (TI), or Telematics Infrastructure, were impaired, impacting the use of the electronic patient record (ePA) for customers of insurers including Allianz, hkk, DAK, KKH, Mobil BKK, svlfg, and several BKK and IKK affiliates. The electronic delivery of work incapacity notices (eAU) and electronic doctor's letters was also disrupted. Furthermore, the system for validating patient co-payment exemptions was temporarily offline for Bitmarck's client insurers starting from April 25. A scanacs website listing identified the affected insurers as Audi BKK, BAHN-BKK, BKK Miele, BKK Pfalz, Bosch BKK, hkk, pronova BKK, Siemens BKK, IKK - die Innovationskasse, mhplus, BMW BKK, BKK VBU, vivida bkk, and IKK Classic. This event marked the second major cybersecurity incident for Bitmarck within a few months, following a breach in January 2023 where sensitive data belonging to approximately 300,000 online customers of various health funds was stolen and subsequently published online.

In a further development on March 31, 2023, the public transport operator Üstra (Verkehrsbetriebe der niedersächsischen Landeshauptstadt Hannover) was hit by a cyberattack. The company was forced to completely shut down all of its computer systems. This action led to the suspension of sales for the new Deutschlandticket and significantly limited the availability of customer service functions. Üstra reported the incident to the police and, in addition to leveraging its own corporate IT team, brought in external cybersecurity experts to manage the situation. The company did not confirm whether ransomware was involved. By April 27, Üstra announced that the Deutschlandticket would be available for regular booking starting June 1, 2023. For customers seeking to purchase the ticket for a May 1 start date, orders could be placed through the "FahrPlaner-App" in cooperation with the Verkehrsverbund Bremen/Niedersachsen, though this option was only available until April 30. The company also warned that delays could be expected for the processing of the region's 365-Euro social and job tickets. At the time of reporting, no concrete connections could be established between these various attacks on BIG direkt gesund, Materna, Bitmarck, and Üstra. All affected organizations cited ongoing investigations as the reason for withholding specific details regarding the attack vectors or the particular ransomware strains potentially involved.