ctipilot.ch

ARWINI (Lower Saxony statutory-prescription audit body) — data exfiltration confirmed by LKA

incident · item:arwini-lower-saxony-statutory-prescription-audit-body-data-

Coverage timeline
1
first 2026-05-19 → last 2026-05-19
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
1
active_threats
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-05-19CTI Daily Brief — 2026-05-19
    active_threatsFirst coverage. LKA Niedersachsen confirms data exfiltration 2026-05-18; ~70K GDPR Art. 9 patient records likely affected; KRITIS/NIS2UmsuCG and LfD Niedersachsen notified; no actor named.

Where this entity is cited

  • active_threats1

Source distribution

  • aerzteblatt.de1 (33%)
  • borncity.com1 (33%)
  • heise.de1 (33%)

Related entities

All cited sources (3)

Items in briefs about ARWINI (Lower Saxony statutory-prescription audit body) — data exfiltration confirmed by LKA (1)

ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope

From CTI Daily Brief — 2026-05-19 · published 2026-05-19 · view item permalink →

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V., which audits prescription cost-effectiveness for statutory-health-insurance (GKV) patients in Lower Saxony via data exchange with Kassenärztliche Vereinigung Niedersachsen (KVN), AOK and other insurers — resulted in confirmed exfiltration of personal data (Deutsches Ärzteblatt, 2026-05-18; Heise Security, 2026-05-18). Intrusion signs were detected on ARWINI servers on 2026-05-04 and all systems were shut down on the same day; ARWINI's own statement, cited by Borns IT Blog on 2026-05-16, said particularly sensitive personal data (besondere Kategorien — GDPR Art. 9) are likely affected, with health and billing data on ≥70,000 patients in scope (Borns IT Blog, 2026-05-16). The Polizeidirektion Hannover is the investigating authority; the Landesbeauftragter für Datenschutz Niedersachsen (LfD) and BSI have been notified under the GDPR 72-hour rule and the German KRITIS / NIS2UmsuCG framework. Heise reports the Kairos ransomware group has claimed the attack and is threatening to sell approximately 2.87 TB of stolen data on its leak site, with attackers' leak-site claim dated 2026-05-11. The technical pattern is consistent with double-extortion ransomware now in the operator-leak-site phase.

Why it matters to us: GKV bodies and their mandated third-party auditors are NIS2 entities; the supply-chain relationship between KVN/AOK and ARWINI is precisely the data-processor scope hit by NMDL/IGJ in the Netherlands (covered 2026-05-14). Defender pattern: any GKV / AHV / cantonal health-insurance data-exchange counterparty should be inventoried as an in-scope critical-supplier under §8b BSI-Gesetz / NIS2UmsuCG, with breach-notification playbooks rehearsed for the 72-hour GDPR clock from a third party's detection event, not just one's own. Monitor for downstream phishing using GKV billing-data lures targeting affected patient cohorts.