Cyber Incident Victim: AOK Bayern

A security incident involving multiple AOK health insurance providers in Germany was identified on or around May 31, 2023. The incident stemmed from a vulnerability within a widely used third-party software application for data transfer, specifically "MOVEit Transfer." This software was employed by the affected AOKs to exchange data with external partners, including companies, healthcare service providers, and the Federal Employment Agency (Bundesagentur für Arbeit). The vulnerability inherent in this software enabled unauthorized access to the application. The specific AOK entities confirmed to be impacted were AOK Baden-Württemberg, AOK Bayern, AOK Bremen/Bremerhaven, AOK Hessen, AOK Niedersachsen, AOK Rheinland-Pfalz/Saarland, AOK Sachsen-Anhalt, and AOK PLUS. The AOK-Bundesverband, the national association representing these insurers, was also involved in the incident. The AOK system is a major component of the German healthcare landscape, representing over 20.9 million members as of late 2021.

Upon discovery of the security flaw, the AOK-Gemeinschaft immediately initiated its predefined response protocols designed for such scenarios. The primary containment action involved severing all external network connections that relied on the compromised MOVEit Transfer data exchange system. This decisive action was taken as a security precaution to prevent any further potential unauthorized access and to secure the data. A direct consequence of this containment measure was the disruption of electronic data exchange between the impacted AOKs and their external partners. This interruption represented a significant operational impact, affecting business processes that depend on the regular and secure flow of information with contracted entities and government agencies.

The investigation into the full scope and impact of the incident was ongoing at the time of the initial report. A critical aspect of this investigation was the determination of whether the unauthorized access facilitated by the vulnerability resulted in a compromise of the policyholders' sensitive social data. This data verification process was explicitly noted as not yet being complete. The AOK-Gemeinschaft committed to informing its members and the public in a timely manner as soon as new findings emerged from the ongoing forensic analysis. In accordance with regulatory procedures for protecting critical infrastructure, the incident was formally reported to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) under the KRITIS (Critical Infrastructure) framework.

The context of the incident was not isolated to the AOKs. Initial media reports indicated that the security vulnerability in the MOVEit Transfer software affected numerous companies both within Germany and internationally. A large proportion of the cyberattacks exploiting this vulnerability were reported to have occurred in the United States, suggesting a widespread and coordinated campaign targeting this specific software weakness. This placed the AOK incident within a larger global cybersecurity event. Recovery efforts were actively underway, with teams working intensively to restore the affected systems to a secure and operational state. The focus of this work was on rebuilding and securing the data exchange infrastructure to safely resume normal operations with external partners while maintaining a high security standard. The full extent of the data compromise, if any, and the complete restoration timeline for all data exchange services remained under assessment as the response and investigation continued.