Hackers attack hospital data - should patients report themselves?
The Ameos hospital group has been in a state of emergency since a massive hacker attack at the beginning of July 2025. However, while you would expect all the levers to be pulled to protect patients, a procedure is now in place that leaves many simply stunned: those affected should report themselves if they believe they have been affected by the data leak - and upload a copy of their ID card at the same time.
What sounds like a bad joke is bitterly serious. After all, it is the company's duty to actively inform all those affected - and not their job to chase after the loss of their own sensitive data.
Health data from eleven clinics affected - the silence weighs heavily
The attack affects all eleven Ameos locations in Saxony-Anhalt, including clinics in Aschersleben, Halberstadt, Wernigerode, Haldensleben and other towns. And it's not about trivial information, but highly sensitive medical data.
On Tuesday, Ameos confirmed for the first time that health data had also been leaked - i.e. intimate information that is subject to special protection. Despite this, the company has so far refrained from directly informing the people affected. Instead, there is a website where patients can use a complicated procedure to find out for themselves whether they are affected.
Data protection officer: complaints are piling up
Maria Christina Rost, data protection officer for Saxony-Anhalt, reacted clearly to the allegations. She confirmed to MDR that several complaints had been received. They are currently coordinating with colleagues from other federal states on how to proceed.
One thing is clear: the GDPR obliges companies to notify data breaches immediately if there is a risk to the rights and freedoms of individuals. Responsibility must not be shifted to patients - especially as many of them are probably unaware of the data leak and therefore cannot report it "as a precaution".
Ameos defends itself - criticism remains
The hospital group is officially cooperative and refers to close coordination with the data protection authorities. When asked why those affected are not contacted directly, Ameos refers to the "high individual testing effort" and a lack of knowledge about the exact number of people affected.
However, this is not a free pass to simply hand over responsibility to patients - especially not in a sensitive area such as healthcare. The fact that patients are also required to upload their ID card for identification purposes is, in the view of experts, an additional insanity in terms of data protection law.
Ameos' actions are a scandal
Anyone who stores sensitive health data also bears responsibility if it falls into the wrong hands. And this responsibility does not end with a vague message on a website. Patients have a right to be informed - clearly, directly and without extra effort.
The fact that a hospital group ignores these principles and instead relies on "self-disclosure" is not only legally questionable - it is morally completely wrong. If data protection is perceived as a burden, there is no place for it in the healthcare sector. The supervisory authorities need to take a clear stance here - and Ameos needs to rethink its approach. Urgently.
