Patient data affected: Cyberattack on billing service provider for clinics

A cyberattack on the Saarland-based billing service provider Unimed affects numerous university hospitals nationwide. According to its own statements, the company serves 95 percent of all university hospitals in Germany and 51 percent of all clinics with more than 600 beds. According to the affected institutions, patient data of tens of thousands of private patients and self-payers were stolen. The clinics themselves emphasize that their internal systems and patient care were not affected.

According to Unimed, the attack occurred in mid-April 2026. The company announced that the incident had been reported to the Saarland State Criminal Police Office. Unimed stated that the attackers intended to encrypt the systems. While this was prevented, data was exfiltrated from a “limited area” before the defense could be mounted. According to Unimed, this also included communication regarding billing disputes.

When asked about further affected institutions, Unimed explained: “We ask for your understanding that as a service provider, we cannot provide any further information about our customers and their data.” Unimed also made no statements about the attack vector.

Clinics Publish Figures

Numerous clinics have now published specific figures. The University Hospital Freiburg is particularly hard hit: According to the clinic, master data of around 54,000 patients were stolen, including names, addresses, and dates of birth. In around 900 cases, billing data were also affected, from which diagnoses and treatment methods could be derived. In a few cases, account data were also exfiltrated. The University Hospital Cologne reports around 30,000 affected data records. These include 843 cases with health data and five cases with financial data such as IBAN or account numbers.

At the University Hospital Düsseldorf, there are more than 3,000 cases with general patient data and 162 cases where health data may also be affected. The University Medical Center Mainz speaks of up to 2,764 affected private patients and self-payers.

Further cases were reported by Ulm, Mannheim, and the University Hospital of Saarland in Homburg, among others. There, 1,266 patients are said to be affected. In Ulm, around 1,600 patients are affected, and in about 300 cases, diagnosis and treatment data may also have been exfiltrated. Mannheim reports around 3,000 affected individuals and one case with compromised financial data. Heidelberg and Tübingen also confirm incidents, but have not yet provided detailed figures.

Several of the affected clinics stated that they stopped data transfer to Unimed immediately after becoming aware of the incident. Furthermore, data protection authorities and the Federal Office for Information Security (BSI) were informed. Many institutions announced that they would notify affected individuals in writing and consider legal action. Unimed announced on Friday that the systems are now fully operational again. External IT forensic experts had examined and secured the infrastructure. According to Unimed, there are no indications that attackers are still present in the system.

Ransomware at Billing Service Provider Affects Patients with Statutory Health Insurance in Lower Saxony

Just a few days ago, it became known that sensitive health and billing data were also exfiltrated after a cyberattack on the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen (Arwini e. V.). Arwini examines the cost-effectiveness of medical prescriptions on behalf of statutory health insurance funds and the Association of Statutory Health Insurance Physicians of Lower Saxony. The Hannover Police Directorate confirmed to heise online that the ransomware group “Kairos” is behind the attack. The perpetrators are threatening to publish an alleged 2.87 terabyte dataset. It is not yet known who is responsible for the successful attack on Unimed.

According to the company, up to 75,000 data records could be affected at Arwini. The Association of Statutory Health Insurance Physicians of Lower Saxony stated that pseudonymized billing data are transmitted to the auditing office on a quarterly basis. Although patient data are anonymized, the data sets contain doctor-related information such as doctor numbers and practice numbers, making practices identifiable. According to the police, investigators are in international exchange regarding the “Kairos” group.

(mack)