Report by the Ministry of Health for the Responsible Disclosure of Serious Deficiencies

The deficiency in the EMS caused by a lack of diligence enabled an undetermined number of people to access all data and entry options in the system for months. This affected the sensitive health and registration data of millions of people. In December 2021, epicenter.works discovered this security vulnerability together with the daily newspaper derStandard, reported it to the relevant authorities and it was subsequently reported in the media. Although this prevented serious damage to a large part of the population, the Ministry of Health immediately filed charges against the association for hacking. Without the authorisation to prosecute, it would not have been possible to initiate preliminary proceedings against us. Despite our request to Health Minister Rauch, he has not withdrawn this authorisation to this day and has still not replied to our letter.

The offence of hacking (§ 118a StGB) is punishable by up to 2 years of imprisonment. We were not informed of the charges against us for one year. On 16 February 2024, the proceedings were finally discontinued, partly because there was neither the necessary intent to commit espionage nor an intent to cause harm. Despite the closure, we incurred costs of around EUR 15,000 as a result of the two-year investigation.

Timeline of the EMS scandal

Cases like ours have a chilling effect on civil society, journalists and security researchers. The fear of legal proceedings and the associated costs and time involved means that non-profit organisations in particular will probably think twice about reporting security vulnerabilities in the future. This will leave our IT systems more unsafe and vulnerable overall, especially in the public sector, with potential devastating consequences.

Together with our legal representative in the matter, Maria Windhager, and IT security expert from Cert.at, Otmar Lendl, we held a press conference to explain our case and the need for Austria to catch up legally.

IT Security Researchers Need Legal Protection

Especially in times of increasing IT attacks on individuals, companies of all sizes or entire federal states (case of Carinthia), finding and closing security vulnerabilities should be a top priority. However, to uncover such vulnerabilities, security researchers must use the same methods and tools as criminals. E.g. when a locksmith tries to assess the security of a lock, he also tries to open it without a key.

Anyone who reports security vulnerabilities to the Austrian state today risks prosecution and even imprisonment. This creates incentives to keep this knowledge to oneself or, in the worst case, even to exploit it criminally. Instead of severe threats of punishment, there is therefore an urgent need for an explicit legal exception for the morally correct handling of security vulnerabilities in accordance with the principle of "responsible disclosure".

Legal and technical background to the EMS scandal

International Role Models - What Should Austria do?

We are not alone in this demand; the EU authority for IT security (ENISA) is also in favour of such legislation. Countries such as Lithuania and the Netherlands have already recognised the added value of security research for the general public and have enacted corresponding laws. Many countries have also already established the concept of "bug bounty" programmes, where symbolic sums of money are paid for reporting security vulnerabilities. Such programmes are also more cost-effective than private sector IT audits of systems. With hybrid threats constantly on the rise, it is high time for Austria to finally get up to standard.

On 1 May 2024, the review process of the NIS2 Act has ended, with Austria failing to solve this problem despite the EU recommendation. Here is our legal opinion.