Six German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed

Unimed, a Saarland-based billing-service provider that handles private-insurance and self-payer invoicing for an estimated 95% of German university hospitals, was breached in mid-April 2026; attackers exfiltrated patient data and an attempted full encryption of Unimed's infrastructure was reportedly averted (heise online, 2026-05-22). On 2026-05-21 at least six state-funded Universitätsklinikum hospitals — Cologne, Freiburg, Heidelberg, Tübingen, Ulm and Mannheim — disclosed that their patients' data was among the stolen records (The Record, 2026-05-22). University Hospital Freiburg states master data for ~54,000 patients (names, addresses, dates of birth) was taken, with billing records for ~900 patients additionally exposing diagnoses and treatment methods, and bank-account data in a small number of those cases (Uniklinik Freiburg, 2026-05-21); Cologne reports ~30,000 affected (Uniklinik Köln, 2026-05-21). The exposed categories include GDPR Article 9 special-category health data (diagnoses, treatment codes) and financial data (IBANs). Attribution is open: heise states it is "not yet known who is responsible" for the Unimed attack, and The Record likewise reports no actor had publicly claimed responsibility at its publication. The intrusion does rhyme with the earlier ARWINI Lower-Saxony statutory-billing breach (covered 2026-05-19) — which the Hannover Police Directorate attributed to the Kairos ransomware group per heise — but that resemblance is an analyst pattern-overlap, not a sourced attribution of the Unimed breach.