Cyberattack on German hospital billing firm Unimed steals data of tens of thousands of patients
Unidentified attackers breached the systems of German hospital billing company Unimed in mid-April, stealing sensitive data of tens of thousands of private and self-paying patients. The full extent emerged in recent days, with at least 72,000 patients affected at four university hospitals in Baden-Württemberg alone. The BSI warned the stolen data could be used for targeted phishing or extortion.
Unidentified attackers breached the systems of German hospital billing company Unimed in mid-April, stealing sensitive data of tens of thousands of private and self-paying patients. The full extent of the data theft became clear only in the days before May 18, with at least 72,000 patients affected at four university hospitals in Baden-Württemberg alone.
Unimed, a billing service provider for hospitals based in Saarland, said the attack was repelled after a short time. The company stated that the attackers planned full encryption of its systems but failed; data was exfiltrated before they were repelled. Unimed said it regretted the damage caused and, together with experts, secured the system after the attack. The company is now fully operational again.
Data of private patients and self-payers was stolen. Publicly insured patients with supplementary insurance may also be affected, according to Baden-Württemberg's Science Minister Petra Olschowski (Greens). Attackers obtained basic data including name, address, and date of birth, and in some cases accessed billing information that revealed diseases.
University Hospital Cologne reported 30,000 patients affected. University Hospital Düsseldorf reported more than 3,000 cases. In Baden-Württemberg, attackers stole data of more than 72,000 patients from the university hospitals of Freiburg, Ulm, Heidelberg, and Tübingen. Mainz University Medicine reported up to 2,764 affected patients. UKE Hamburg reported more than 5,000 affected patients. Saarland University Hospital reported about 1,200 cases. The UKSH in Kiel also reported stolen patient data.
The Federal Office for Information Security (BSI) warned that the stolen data could be used for highly targeted phishing or extortion attempts. "With this knowledge, phishing emails or extortion attempts can be tailored very individually," the BSI said. The responsible data protection authority and the BSI were informed on April 16, 2026, according to a statement from Freiburg University Hospital. The full scale of the data leak was determined on May 18, according to SWR.
Sebastian Schinzel, professor of electrical engineering and computer science at FH Münster, said cybercriminals often sell stolen data on the darknet.