Cyberattack on German hospital billing provider Unimed exposes data of tens of thousands of private patients

The breach and its discovery

A cyberattack on Unimed, a nationwide hospital billing service provider based in Wadern, Saarland, has led to the theft of data from tens of thousands of patients. The company detected the intrusion in mid-April 2026 and immediately severed data interfaces to its clients as a precaution. Specialized external forensic analysts spent weeks examining the data outflow, allowing Unimed to identify affected individuals and notify hospitals by mid-May.

At the vast majority of the leaked data, it is not particularly sensitive financial and health data of patients.

The attack targeted Unimed's IT infrastructure directly, not the hospitals themselves. According to the Saarland State Criminal Police Office's "Qualified Cybercrime" unit, unknown perpetrators gained unauthorized access to parts of the company's systems. Unimed stated that the attackers lost access during the attack itself and that no unauthorized third parties remain in its systems, which are now closely monitored by an external Security Operations Center.

Scale of the incident

In Baden-Württemberg alone, the state data protection commissioner has received breach notifications from 17 hospitals. The four university hospitals in the state first went public in mid-May, and subsequent reporting by local media has pushed the estimated number of affected patients in the southwest to at least 80,000. Unimed has declined to disclose its full client list or the total number of victims nationwide.

When health data and other sensitive data such as payment data fall into the hands of criminals, we assume a high risk.

The stolen data includes names, addresses, dates of birth, financial information such as account numbers, and health data covering diagnoses and treatment histories. Only private patients and self-payers are affected.

Jurisdictional complexity

Responsibility for the investigation is split across state lines. Because Unimed is headquartered in Saarland, the Saarland authorities lead the criminal probe and data protection oversight. The Cybercrime Center Baden-Württemberg at the Karlsruhe Public Prosecutor General's Office confirmed it is not directly handling the case. The Independent Data Protection Center Saarland supervises Unimed, while the Baden-Württemberg commissioner processes breach reports from hospitals in the southwest and has already received initial complaints from affected individuals.

Official and institutional responses

The Baden-Württemberg State Ministry of Health stated it has neither technical nor legal oversight over the hospitals and therefore no reporting obligation applies to it. The Federal Office for Information Security (BSI) declined to comment and referred inquiries back to Unimed. The Baden-Württemberg Hospital Association also did not provide information. The Tübingen University Hospital, which contacted all 902 of its affected patients, has since reopened its data connection to Unimed following a security review.

Advice for affected patients

Consumer protection authorities and data protection officials have issued guidance for those whose data may have been compromised. The consumer advice center recommends heightened vigilance: scrutinizing suspicious emails, closely monitoring bank and credit card statements, and verifying the identity of anyone making unexpected contact referencing medical treatments, insurance, or health services. The state data protection commissioner also warned against sharing sensitive health information during unsolicited calls or messages and urged caution with invoices that may have been manipulated.

They should also carefully check recipients when paying invoices, as potentially manipulated invoices may be sent.

Under the GDPR, affected individuals have the right to inquire whether and which of their data were involved and may pursue civil claims for material or immaterial damages if a GDPR violation such as inadequate security caused the incident and led to a tangible, noticeable disadvantage. Unimed's current assessment, based on its commissioned specialists, is that a publication of the stolen data is no longer probable and there are no indications of concrete misuse so far.