Your health data on its way to research and most people don't know about it

Imagine: All your doctor's visits, prescriptions, hospitalizations and diagnoses of the last 15 years will be centrally stored and made available for research purposes.

That doesn't sound wrong when it comes to medical research, does it? But now comes’s:

Most of you probably don't even know that this is already going on.

Constanze Kurz from the Chaos Computer Club summed it up at the Anosidat conference at the end of October: The majority of people have no idea that their billing data has been transmitted to the health insurance fund to the Research Data Centre for Health (FDZ Gesundheit) since 2022. And soon they will also end up in the European Health Data Space.

What is FDZ health anyway?

The Research Data Centre for Health is located at the Federal Institute for Drugs and Medical Devices (BfArM) and was officially launched in October 2024. From this point on, researchers from science can and Economy Make requests for access to the data.

The highlight: All billing data of the statutory health insurance funds from 2009 to 2023 are already available there. That is data from 75 million insured persons – 600 million cases with 8 billion records. An incredible amount of data.

Of course, Federal Minister of Health Nina Warken (CDU) promises the highest data protection standards and that everything is only pseudonymised. BfArM President Karl Broich welcomed the "data treasure" and stressed the importance of this data for research.

The problem: Lack of transparency and questionable pseudonymisation

This is where it becomes critical. Constanze Kurz of the CCC strongly warned against a "creeping dismantling of health data protection for the benefit of economic interests". And she has damn good reasons for this:

1. Most people don't know about it

The Gesellschaft für Freiheitsrechte (GFF) has already filed a lawsuit against the disclosure and storage of this data. Why? Because very few people even know that their data ends up there and is used.

For the accounting data from 2009 to 2023, there were No possibility of objection. Only for data from the electronic health record (ePA), which will be added soon, there is an opt-out. But here, too, is the problem: How many people actively disagreed? Those responsible at the press conference at the start of the FDZ could not (or did not want to) name this number.

2. Pseudonymization is not the same as anonymization.

Kurz explicitly warned against the risks of ‘insufficient anonymisation’. The data are only pseudonymised before – this means that, theoretically, traceability to individuals is possible if one has the appropriate links.

This is especially important when you consider that Pharma You can request access to this data. Han Steutel, President of the Association of Research-Based Pharmaceutical Companies (VfA), is already very pleased about this. Of course, because for the industry this is a jackpot.

3. Privately insured persons and the Bundeswehr are excluded

Here’s where it gets really absurd: While the data all legally insured persons If they end up in the system, privately insured persons and the Bundeswehr are excluded.

Constanze Kurz asks the right question: Why actually? If the data is so secure and so important to research, why isn't it for everyone? The answer is obvious: Those who can afford it or who deal with state secrets protect their data. The rest? Data material.

The electronic health record: Compulsory soon?

Here's another bomb: According to leaked coalition negotiating documents, the electronic health record (ePA) is to be rolled out "mandatory sanction-reinforced" in 2025. Exactly what this means is unclear – but it does not sound like a voluntary decision.

From the end of 2025, the data from the ePA should also end up in the FDZ. This means: Not just your billing data, but potentially All medical information, which are stored in the ePA, may be used for research purposes.

You can disagree, but Kurz was already surprised at the conference that so far only a small proportion of the legally insured have done so. Why? Probably because most people just don't know what's going on.

The European Health Data Space: The Next Level

But that's not enough. The European Health Data Space (EHDS) has already entered into force. The BfArM is currently setting up a Data Access and Coordination Unit (DACO) to act as a national interface to the EHDS.

This means: In the future, your health data should not only be national, but also Accessible throughout the EU for research purposes to be. Researchers from all over Europe can then apply for access.

BfArM CEO Broich is proud that Germany is thus ‘at the centre of data-driven regulatory authorities’. He praised the European Medicines Agency’s DARWIN (Data Analysis and Real-World Interrogation Network) initiative, which had already ‘gained very important information’.

What do the proponents say?

Of course, there are also good arguments for the use of health data in research:

• Better medicines: Researchers can check the effectiveness, risks and side effects of drugs in practice – not just under laboratory conditions
• Rare diseases: In rare diseases, large data sets are important in order to conduct meaningful research at all
• Quality of supply: Health insurance companies are hoping for insights to improve care (and probably also savings potential)
• Cancer research: Oncologist Sebastian Hallek explains that one could finally check whether changes to therapy concepts are used correctly and quickly

These are all valid points. No one wants to prevent diseases from being better researched and treated.

But: Data protection is not an ‘excuse’

Thomas Köllmer from the Fraunhofer Institute put it in a nutshell: "Even if data protection were completely abandoned, Germany would not automatically become a leading location for artificial intelligence."

Constanze Kurz stressed that Data protection is not a preventer, but a prerequisite for trust be. And that's exactly what the crux is: If people do not know what happens to their data, if they do not have a real choice, if private policyholders are excluded – then trust is lacking.

Prof. Mohammadi from the University of Lübeck called for decentralized solutions instead of centralized data storage. Because large central databases are always an attractive target for hackers, intelligence agencies or economic interests.

MIT warns: 95% Businesses have no benefit from AI

An interesting side scene: Mohammadi referred to an MIT study, according to the 95% companies have not yet benefited from the use of AI systems.

This is in line with Köllmer’s statement that ‘everything is thrown in first’ (in large language models) in order to find suitable questions later on. In other words: You collect a lot of data because you can – not because you know exactly what it is for.

This is the exact opposite of data-saving research.

What does this mean for us?

Here is the uncomfortable truth: Your health data is already being used without most of you knowing or actively agreeing to it.

This is not a conspiracy theory, this is a fact. The FDZ Health has started, the data is there, applications can be submitted.

What you can do now:

1. Inform yourself: Look at the website of FDZ Health Find out what data is being used and how.
2. Contradictions in the ePA: If you do not want your ePA data to be used for research purposes, you must actively object. Contact your health insurance company and file a complaint
3. Remains critical: Just because something is ‘for research’ does not automatically mean that every form of data use is justified.
4. Calls for transparency: Talk to politicians, health insurance companies and doctors about it. Intransparency is the real problem

My conclusion

I am not opposed to medical research. On the contrary -> better drugs, more individual therapies, faster knowledge about diseases - all this is important and right.

But not so.

Not without real information and education. Not without a real choice. Not if privately insured persons are excluded. Not when pseudonymization is questionable. And not when pharmaceutical companies have direct access to the data of 75 million people.

Constanze Kurz is right: Data protection is not an obstacle to research, but a prerequisite for trust. And it is precisely this trust that is lacking when the majority of those affected do not even know that their data is already being used.

The GFF has not filed a lawsuit without reason. The CCC does not warn for no reason. And the fact that no one could (or wanted to) say how many people disagreed at the start-up press conference speaks volumes.

Germany has launched a huge data infrastructure project with the FDZ and the European Health Data Space. The technical possibilities are impressive, the hopes are high.

But fundamental rights like this Right to informational self-determination They cannot be ignored simply because research or the pharmaceutical industry would like to have access to the data.

Stay vigilant. Stay informed. And use your rights.

Sources & further links:

• Heise: Constanze Kurz of the CCC warns against dismantling health data protection
• Heise: BfArM CEO on plans for research data infrastructure
• Heise: Research Data Center Health takes up work
• Website of the FDZ Health
• GFF on the action against the FDZ
• CCC on Health Data Protection