Some German health insurance funds started asking their members to send in photos for newly issued electronic insurance cards, despite the fact that important security questions regarding the system are still unanswered. The Chaos Computer Club advises all members to not send a photo as yet.
In the past few days we received information about health insurers asking their customers to send photos as part of the issuing process for new insurance cards. The trade guild sickness fund of Saxony ("IKK Sachsen") even insists on a picture that meets current biometric Photo ID requirements, and refers to a legal obligation for providing it.
The concept of the electronic insurance card that is known to the Chaos Computer Club bears some serious issues, such as in the implementation of so called "voluntary services" ("freiwillige Dienste"). With the electronic health record, the sensitive details leave the protected environment of the doctor's practice and are stored on a central server. According to the specification this information will be encrypted prior to transmission, but there is no conclusive concept about who has access to the cryptographic keys.
Without these additional services, the introduction of the new electronics health insurance cards would neither be economically justifiable nor bring any value-add for health insurances, doctors or patients. Consequently, the introduction of such an ill-conceived system is irresponsible. We therefore advise all policyholders to not comply with the request for sending in a photo, so that the ubiquitous implementation of the new health insurance card will be delayed until these fundamental questions around protecting sensitive information are clarified.
As a matter of fact, § 291 German Social Security Code ("Sozialgesetzbuch") indicates that the health insurance card shall bear a "photograph of the insured person", but the law in question does not contain any further requirements about its nature. So there are no limits to creativity. A biometrically usable picture, as it is used in the controversial electronic passports, is not at all required by law.
Retention of the photo, exceeding the time frame required to produce the card, is not required by law and therefore prohibited.