A cyber attack on the Saarland billing service provider Unimed affects numerous university hospitals nationwide. According to its own information, the company looks after 95 percent of all university hospitals in Germany and 51 percent of all clinics with more than 600 beds. According to the hospitals affected, patient data from tens of thousands of private patients and self-payers were stolen. The clinics themselves emphasize that their internal systems and patient care have not been affected.
Read more after the ad
According to Unimed, the attack occurred in mid-April 2026. The company said the incident had been reported to the Saarland State Criminal Police Office. According to Unimed, the attackers wanted to encrypt the systems. This was prevented, but data was leaked from a “limited area” before the defense. According to Unimed, this also included communication regarding billing contradictions.
When asked about other affected facilities, Unimed explained: “Please understand that as a service provider we cannot provide any further information about our customers and their data.” Unimed also did not provide any information about the attack vector.
Clinics publish numbers
Numerous clinics have now published concrete figures. The Freiburg University Hospital is particularly hard hit: According to the clinic, master data from around 54,000 patients was stolen, including names, addresses and dates of birth. In around 900 cases, billing data was also affected, from which diagnoses and types of treatment could be derived. In a few cases, account data was also leaked. The University Hospital of Cologne reports around 30,000 affected data sets. These include 843 cases with health data and five cases with financial data such as IBAN or account numbers.
At the University Hospital Düsseldorf there are more than 3,000 cases with general patient data as well as 162 cases in which health data could also be affected. The Mainz University Medical Center speaks of up to 2,764 affected private patients and self-payers.
Other cases were reported in Ulm, Mannheim and the Saarland University Hospital in Homburg, among others. 1,266 patients are said to be affected there. Around 1,600 patients are affected in Ulm, and diagnostic and treatment data may have been leaked in around 300 cases. Mannheim reports around 3,000 affected people and one case with compromised financial data. Heidelberg and Tübingen also confirm incidents, but have not yet provided any detailed figures.
Read more after the ad
Several of the affected clinics stated that they had stopped data transfer to Unimed immediately after the incident became known. In addition, data protection authorities and the Federal Office for Information Security (BSI) were informed. Many companies announced that they would notify those affected in writing and consider legal action. Unimed said on Friday that the systems were now fully operational again. External IT forensic experts examined and secured the infrastructure. According to Unimed, there is no evidence that attackers are still in the system.
Ransomware at billing service providers affects statutory health insurance patients in Lower Saxony
Only a few days ago it became known that sensitive health and billing data was also leaked following a cyber attack on the Lower Saxony Performance Auditing Association (Arwini e. V.). Arwini examines the cost-effectiveness of medical prescriptions on behalf of statutory health insurance companies and the Lower Saxony Association of Statutory Health Insurance Physicians. The Hanover Police Department confirmed to heise online that the ransomware group “Kairos” was behind the attack. The perpetrators are threatening to publish a data set that is supposedly 2.87 terabytes in size. It is not yet known who is responsible for the successful attack on Unimed.
According to the company, up to 75,000 data records could be affected at Arwini. The Lower Saxony Association of Statutory Health Insurance Physicians explained that pseudonymized billing data would be sent to the testing center on a quarterly basis. Although patient data is anonymized, the data sets contain doctor-related information such as doctor numbers and business location numbers, so that practices remain identifiable. According to the police, investigators are in international contact regarding the “Kairos” group.
(mack)
