Cyber Incident Victim: FPZ GmbH

On or around August 30, 2023, FPZ GmbH experienced a significant cybersecurity incident involving an attack on its data center, which was identified as a ransomware event. In accordance with the stipulations of the ISO 27001 standard, the company promptly filed a criminal complaint against unknown perpetrators with the State Office of Criminal Investigation (LKA) in Düsseldorf on the same day the incident was discovered. The immediate response involved the analysis of the IT systems within a secured environment, a process noted to potentially take several hours per individual system. At this initial stage, there were no indications that any form of patient data had been affected by the breach. The primary focus on the following day, August 31, was the restoration of all compromised systems. These recovery efforts were conducted with a high degree of coordination, as the procedures were carefully aligned with the relevant authorities and the police. The restored systems were placed into a secure environment to facilitate the subsequent forensic analysis phase, and the company continued to report no findings that pointed toward any data loss having occurred as a result of the attack.

The incident response and forensic investigation processes continued to advance throughout the first week of September. By September 1, FPZ GmbH was actively engaged in ongoing forensic work and had also established a line of communication with BITMARCK, a service provider responsible for health insurance companies, indicating the broad ecosystem potentially impacted by the disruption. Furthermore, the company took a significant regulatory step on that date by submitting a formal notification of the personal data breach to the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (LDI NRW). This action was justified by the company citing explicit guidelines from supervisory authorities that classify ransomware incidents as a valid reason for such a mandatory report. The rationale provided was that within the standard data protection model, the availability of data is considered a key safeguarding objective, the compromise of which through a ransomware attack triggers the obligation to inform the relevant data protection oversight body.

Operational continuity measures were implemented to ensure that FPZ therapy centers and partner doctors could remain functional despite the ongoing IT disruptions. On September 5, the company issued guidance for medical professionals to continue the process of prescribing FPZ therapy. Doctors were instructed to have patients fill out application forms in paper form, specifically for individuals insured by BARMER, Pronova BKK, and IKK classic, and to submit these applications via fax to a provided number. The company committed to reviewing these paper-based applications and providing telephonic feedback. For the actual issuance of a prescription, doctors were directed to examine the patient and, if medically suitable, issue the FPZ therapy prescription using the guideline for physicians, providing the patient with the guideline to present at an FPZ therapy center. Instructions for archiving and billing were also provided, advising doctors to always archive a copy of the prescription so that online documentation could be created and billed at a later time if required. To further support its clients, FPZ made its most important documents available for download via a dedicated link on a separate infrastructure on September 6.

The forensic investigation into the IT environment was reported to be progressing quickly, though it was noted that a large number of systems required analysis. By September 8, the profile of the perpetrators and the specific attack vector were becoming more concentrated and clearer to investigators. A crisis board comprising representatives from forensics, IT, and the criminal police (Kripo) made a decision to expand the scope of the forensic analysis. It was determined that, from the perspective of achieving complete analysis, all client systems currently in use would also be examined in parallel. This extensive process was scheduled to run over the weekend. Throughout this period of intensive internal investigation and system analysis, communication with customer groups was maintained continuously through a parallel infrastructure that had been established to ensure service reliability. As part of the recovery and security enhancement efforts, a completely newly developed version of the company's main website, www.fpz.de, was also launched and put into operation on September 8, marking a significant step in restoring full digital operations. The company's ongoing updates reflected a methodical and transparent approach to managing the incident, focusing on forensic clarity, operational continuity, and regulatory compliance.