(Image: Siam Stock/Shutterstock.com). A cyberattack on the billing service provider Unimed has affected numerous hospitals across Germany and sensitive data of tens of thousands of patients. Unimed is being evasive. A cyberattack on the Saarland-based billing service provider Unimed has affected numerous hospitals nationwide. According to its own information, the company manages 95 percent of all university hospitals in Germany as well as 51 percent of all hospitals with more than 600 beds. According to the affected facilities, patient data from tens of thousands of private patients and self-payers were stolen. The hospitals themselves emphasize that their internal systems and patient care were not affected. The attack occurred in mid-April 2026 according to Unimed. The company stated that the incident had been reported to the Saarland State Criminal Police Office. According to Unimed’s account, the attackers wanted to encrypt the systems. While this was prevented, data flowed out from a “limited area” before the defense was mounted. According to Unimed, this also included communication regarding billing disputes. When asked about other affected facilities, Unimed stated: “Please understand that as a service provider we cannot provide further information about our customers and their data.” Unimed also made no statements about the attack vector. Hospitals publish figures. In the meantime, numerous hospitals have published concrete figures. The University Hospital Freiburg was particularly severely affected: [1] According to the hospital, master data of approximately 54,000 patients was stolen, including names, addresses and dates of birth. In approximately 900 cases, billing data was additionally affected, from which diagnoses and treatment types could be derived. In a few cases, account data also flowed out. The University Hospital Cologne reports [2] approximately 30,000 affected data records. These include 843 cases with health data as well as five cases with financial data such as IBAN or account numbers. At the University Hospital Düsseldorf, it involves more than 3,000 cases with general patient data [3] as well as 162 cases in which health data could also be affected. University Medicine Mainz reports [4] up to 2,764 affected private patients and self-payers. Further cases were reported by Ulm, Mannheim, and the University Hospital of the Saarland in Homburg [5]. There, 1,266 patients are said to be affected. In Ulm, approximately 1,600 patients are affected [6], and in about 300 cases, diagnosis and treatment data could also have flowed out. Mannheim reports [7] approximately 3,000 affected individuals and one case with compromised financial data. Heidelberg [8] and Tübingen also confirm incidents [9], but have not yet provided detailed figures. Several of the affected hospitals stated that they stopped data transmission to Unimed immediately after the incident became known. In addition, data protection authorities and the German Federal Office for Information Security (BSI) were informed. Many facilities announced that they would notify affected individuals in writing and review legal action. Unimed stated on Friday that the systems were now fully operational again. External IT forensics experts examined and secured the infrastructure. According to Unimed, there is no evidence that attackers are still in the system. Ransomware at billing service provider affects patients with statutory insurance in Lower Saxony. Just days ago, it became known that after a cyberattack on the Working Group for Cost-Effectiveness Audits Lower Saxony (Arwini e. V.), sensitive health and billing data also flowed out [10]. Arwini audits the cost-effectiveness of medical prescriptions on behalf of statutory health insurance companies and the Association of Statutory Health Insurance Physicians Lower Saxony. The Hannover police department confirmed to heise online that the ransomware group “Kairos” is behind the attack. The perpetrators are threatening to publish an alleged 2.87 terabyte dataset. Who is responsible for the successful attack on Unimed is not yet known. According to the company, up to 75,000 data records could be affected at Arwini. The Association of Statutory Health Insurance Physicians Lower Saxony stated that pseudonymized billing data is transmitted to the audit office quarterly. While patient data is anonymized, the data records contain physician-related information such as physician numbers and facility numbers, so practices remain identifiable. According to police, investigators are in international contact regarding the “Kairos” group. (mack [12]). URL of this article: https://www.heise.de/-11304982. Links in this article: https://www.uniklinik-freiburg.de/presse/pressemitteilungen/detailansicht/6807-cyberangriff-auf-externen-dienstleister-betrifft-auch-daten-von-patientinnen-des-universitaetsklinikums-freiburg.html https://www.uk-koeln.de/uniklinik-koeln/aktuelles/detailansicht/cyberkriminelle-entwenden-patientendaten-bei-externem-abrechnungs-dienstleister/ https://www.uniklinik-duesseldorf.de/ueber-uns/pressemitteilungen/detail/cyberkriminelle-entwenden-patientendaten-bei-ehemaligem-externem-abrechnungs-dienstleister-des-ukd https://mainzund.de/hackerangriff-auf-it-dienstleister-patientendaten-der-unimedizin-mainz-gestohlen-zehntausende-daten-in-bawue-entwendet/ https://www.wochenblatt-reporter.de/saarland/c-ratgeber/cyberangriff-bei-uniklinik-homburg-1266-patienten-betroffen_a780688 https://www.uniklinik-ulm.de/aktuelles/detailansicht/cyberangriff-auf-externen-dienstleister-betrifft-auch-abrechnung-von-wahlleistung-des-uku.html https://www.umm.de/medien/news/news/datenschutzvorfall-bei-einem-externen-dienstleister/ https://www.klinikum.uni-heidelberg.de/newsroom/cyberangriff-auf-externen-dienstleister-betrifft-auch-daten-von-patienten-des-universitaetsklinikums-heidelberg https://www.medizin.uni-tuebingen.de/de/das-klinikum/pressemeldungen/meldung/783 https://www.heise.de/news/Niedersachsen-Datenabfluss-bei-Wirtschaftsprueferverein-im-Gesundheitswesen-11297772.html Copyright © 2026 Heise Medien
heise security News