Unimed cyberattack exposes 54,000 patients

University Hospital Freiburg said on May 21 that a cyberattack on an external billing service provider led to the theft of data tied to about 54,000 of its patients. The hospital said the attack hit the provider, not Freiburg’s own clinical systems, and that patient care was not disrupted. The affected records relate to patients with private insurance, supplementary private insurance or self-pay arrangements, according to the hospital. German media later identified the provider as Saarland-based Unimed, which says it serves most university hospitals in Germany. The Freiburg case is large enough to stand on its own, but it also shows how a hospital breach can begin outside the hospital itself. The immediate failure point was not bedside software or internal clinical infrastructure. It was a third-party billing link that handled a specific slice of patient administration. (uniklinik-freiburg.de) ### How much data did Freiburg say was taken? Freiburg said data from around 54,000 patients were stolen, including basic identifying information such as names, dates of birth and addresses. In about 900 cases, the hospital said billing data were also taken, and those records could reveal diagnoses and the type of treatment provided. In a single-digit number of cases, bank account data were also affected, the hospital said. (uniklinik-freiburg.de) Prof. Dr. Frederik Wenz, Freiburg’s medical director, said health data are among the most sensitive categories of personal information and called the theft a serious intrusion for those affected. He said the hospital was demanding a full explanation from the service provider and was examining legal steps. (uniklinik-freiburg.de) ### Why was a billing provider holding this information? Freiburg said the outside company handled billing for patients with private supplementary coverage and for self-payers. SWR reported that the same model was used by several university hospitals in Baden-Württemberg, meaning the provider sat in the administrative path for a narrow but sensitive class of patient records. Ordinary statutory-insurance patients were not part of the affected group in Freiburg, according to the broadcaster. (uniklinik-freiburg.de) Heise reported that Unimed describes itself as serving 95% of university hospitals in Germany and 51% of clinics with more than 600 beds. That footprint helps explain why one provider incident produced disclosures from multiple hospitals at once. ### When did the attack happen, and when did Freiburg learn the scale? (uniklinik-freiburg.de) Freiburg said the cyberattack occurred in mid-April 2026. The hospital said it stopped sending data to the provider immediately after learning of the incident, and that the responsible data-protection authority and Germany’s Federal Office for Information Security, or BSI, were informed on April 16, 2026. (heise.de) May 18 became the key date for public disclosure. Freiburg said the concrete scope of the outflow and the type of data involved were only communicated reliably on May 18, which is why it informed the public afterward. That gap matters because it shows the difference between knowing an incident occurred and knowing what was actually taken. (uniklinik-freiburg.de) ### What has Unimed said about the intrusion? Unimed said, according to Heise and SWR, that attackers tried to encrypt its systems in mid-April but were stopped before that could happen. The company said data still left a “limited area” before defenses took hold, including communications related to billing disputes. Unimed did not disclose the attack vector and said it could not provide further details about customers and their data. (uniklinik-freiburg.de) SWR reported that Unimed said it had further secured its IT systems after the incident. Several hospitals, including Freiburg, said they had halted data transfers to the provider once the breach became known. ### Which other hospitals have reported exposure? Heise reported that Cologne said about 30,000 records were affected, including 843 cases with health data and five with financial data. (heise.de) Düsseldorf reported more than 3,000 cases with general patient data and 162 cases where health data may also be affected, while Mainz reported up to 2,764 affected private patients and self-payers. Ulm, Mannheim and Saarland’s university hospital in Homburg also reported cases, and Heidelberg and Tübingen confirmed incidents without detailed figures, according to Heise and SWR. (swr.de) Freiburg said patients for whom there are indications that health data may have been stolen will be contacted personally. The hospital also set up a dedicated email address for questions and said it would publish further information as secured findings become available. (uniklinik-freiburg.de) (heise.de)