In a recent incident involving the KIM service (communication in medicine), approximately 100,000 e-sick leave certificates were incorrectly sent. The electronic certificates of incapacity for work (eAU) were meant for the AOK Lower Saxony but did not reach their intended destination. The error was discovered when a medical practice noticed a sudden influx of emails and realized that they were receiving the incorrect certificates. Gematik, responsible for digitizing the healthcare system, believes that the practice was unable to open the misdirected emails. To prevent further misdirections, the KIM address was removed from the directory service.
The AOK Lower Saxony has stated that it is currently unable to determine which practice management systems are affected by this issue. The responsibility for the error lies with the doctors who sent the eAUs to the wrong medical practice due to an error in the practice management systems. According to the State Commissioner for Data Protection in Lower Saxony, doctors are obligated to carefully select the processor and ensure data protection-compliant working methods. However, there is no indication that the practices failed to fulfill this obligation.
The affected medical practice promptly informed Gematik and the AOK Lower Saxony about the issue after discovering the misdirected emails. The Lower Saxony state medical association will soon reach out to doctors to request that they check their emails more diligently. The reason for the misdirection is thought to be a faulty implementation in practice management systems from certain manufacturers. Due to missing technical implementation by some software manufacturers, the practice management systems were unable to conduct a complete test or ensure a clear assignment when identifying the health insurance company and practice involved.
The affected primary system manufacturers have been requested by Gematik to immediately implement the mandatory testing that has been in force since 2022. Medatixx, a primary system manufacturer, experienced issues where domain IDs in the directory service for KIM addresses were assigned twice. This led to the AOK Lower Saxony and a doctor’s office sharing the same ID. The Federal Commissioner for Data Protection and Freedom of Information has been informed about the incident, although there was no unauthorized access to the telematics infrastructure. The incident is subject to special professional and criminal law requirements.
