ctipilot.ch

Home · Live brief · Weekly 2026-W21

ARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records

notable incident discovered 2026-05-18 05:00 UTC single-source

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the body that audits prescription cost-effectiveness for statutory health insurers in Lower Saxony — exfiltrated data after a 4 May intrusion. The Kairos ransomware group claims 2.87 TB, with roughly 70,000 special-category (Art. 9) health records in scope. This is the second DACH healthcare-adjacent data-theft event of the window after Unimed, reinforcing that the sector's softest surfaces are the administrative and audit intermediaries, not the hospitals' clinical systems.

ransomware data-breach dach europe