Skip to content

Lower Saxony: Data breach at healthcare auditors’ association

(Image: janews / Shutterstock.com). Following a cyberattack on the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen (Arwini e. V.), data has flowed out of the auditing body’s systems, according to the Hanover Police Department. The extent remains unclear. In the cyberattack on Arwini, which processes health and billing data for legally insured persons in Lower Saxony and audits the cost-effectiveness of medical prescriptions on behalf of statutory health insurance funds and the Kassenärztliche Vereinigung Niedersachsen (KVN), data from the inspection office’s systems have been compromised. The attack was perpetrated by the ransomware group “Kairos,” as confirmed to heise online by police. The “Hannoversche Allgemeine Zeitung” (HAZ) first reported on the incident.

Up to 75,000 datasets affected

Arwini stated that in the worst case, up to 75,000 datasets could be affected. When contacted by heise online, the company’s external data protection officer, Jürgen Recha, replied that it remains unclear whether and which data have actually been exfiltrated. Recha cannot assess the authenticity of sample posts on the Kairos ransomware group’s leak site. Arwini also declined to comment on specific data holdings and technical processing. AOK informed the HAZ that its own systems were not affected.

According to a spokesman for the Kassenärztliche Vereinigung Niedersachsen (KVN), the KVN transmits pseudonymized datasets to the responsible inspection office on a quarterly basis. Patient data are anonymized in the process. However, doctor-related data such as doctor numbers and facility identification numbers are included so that the inspection office can attribute economic anomalies to individual practices. The identity of physicians and practices is therefore traceable. According to a 2022 audit agreement, further information, such as insured person numbers, can be requested if necessary.

Status of investigations

“Kairos” threatens to sell a 2.87 terabyte dataset that has been listed on the group’s leak site since May 11. The size is strikingly at odds with the 75,000 potentially affected datasets mentioned by Arwini – whether the attackers have actually stolen data on this scale has not yet been verified. Sample files are also visible on the leak site, mostly letters between health insurance funds and physicians. According to police, authorities are in international contact regarding Kairos – including with Spanish investigators.

In the meantime, a notification of a data protection violation has also been filed with the data protection officer for Lower Saxony. Whether the notification was made within the deadline is currently being examined. The authority points out, upon inquiry, compliance with the duty to inform affected parties. Individuals whose data may be affected must be informed “without delay” if there is a foreseeable high risk to their rights and freedoms – provided no exceptions under Article 34 of the General Data Protection Regulation (GDPR) apply.

(mack [5])

URL of this article:

https://www.heise.de/-11297772

Links in this article:

https://www.heise.de/thema/Cyberangriff

https://www.haz.de/der-norden/haben-hacker-millionen-rezept-daten-von-menschen-aus-niedersachsen-gestohlen-E4LRTV3VUZBX7EVBYNPBSACHJE.html

https://www.kvn.de/Mitglieder/Verordnungen/Wirtschaftlichkeitspr%C3%BCfung.html

https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp

Copyright © 2026 Heise Medien

heise security News

Share on: