Back

Massive Cyberattack Exposes Data of Tens of Thousands from Multiple Hospitals

Severity: High (Score: 66.0)

Sources: www.swr.de, ga.de

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: einem, cyberangriff, cyberattack, tens, thousands, data, hospital

Severity indicators: data stolen, rat, hospital, cyberattack

Summary

A cyberattack on an external service provider has compromised the data of tens of thousands of patients across several university hospitals in Baden-Württemberg, Germany. The attack, which occurred in mid-April 2026, primarily affected private patients, with the Unimed service provider being the target. Hospitals including Freiburg, Heidelberg, Tübingen, and Ulm reported significant data theft, including names, addresses, and billing information. The University Hospital of Freiburg alone confirmed that data from approximately 54,000 patients was stolen, with sensitive financial information compromised in some cases. The University Hospital of Cologne also reported around 30,000 affected patients, with similar types of data stolen. All affected hospitals have ceased operations with the service provider and reported the incident to data protection authorities. The full extent of the breach is still being assessed. Key Points: • Over 54,000 patients from Freiburg and 30,000 from Cologne affected by data theft. • Sensitive patient information including names, addresses, and billing details compromised. • Attack targeted an external service provider, not the hospitals' internal systems.

Detailed Analysis

**Impact** Approximately 100,000 patients from multiple university hospitals in Germany were affected, including Freiburg (54,000), Heidelberg (11,000), Tübingen (several thousand), Ulm (1,600), Mannheim (3,000), and Köln (30,000). Data stolen includes personal identifiers (names, birthdates, addresses), billing and financial information, and in some cases sensitive health data such as diagnoses and treatment details. The breach impacts patients with private insurance, private supplementary insurance, or self-paying status, including some international patients. Clinical systems and patient care operations were not affected. **Technical Details** The attack targeted an external billing service provider, Unimed, which processes private patient billing for multiple hospitals. The breach was discovered mid-April 2026, with notification to authorities on April 16. No specific malware, CVEs, or attack tools were disclosed. The attack appears to have involved unauthorized access to the service provider’s data systems, affecting the data transmission and storage stage of the kill chain. No IOCs were provided. **Recommended Response** Hospitals and service providers should immediately review and restrict third-party access controls and monitor for unusual data exfiltration activity. Patient data transmission processes should be audited and encrypted where possible. Organizations must ensure timely notification to affected individuals and regulatory bodies. Since no technical indicators were provided, defenders should focus on monitoring network traffic to and from third-party service providers and enhancing endpoint detection on systems handling sensitive data.

Source articles (2)

  • Cyberattack: Tens of Thousands of Data Stolen From Hospital Patients — www.swr.de · 2026-05-22
    Bei einem Cyberangriff auf einen externen Dienstleister haben Kriminelle Daten von Zehntausenden Patientinnen und Patienten von Kliniken in Baden-Württemberg gestohlen. Es geht zum großen Teil um Info…
  • Data Theft: Tens of Thousands of University Hospital Patients Affected by Cyberattack — ga.de · 2026-05-22
    Köln · Diagnosen, Adressen, Rechnungsinfos: Von einem Cyberangriff bei einem Dienstleister ist auch die Uniklinik Köln betroffen. Welche Schritte sie nun einleitet. Bei einem Cyberangriff sind Daten v…

Timeline

  • 2026-04-16 — Data breach reported to authorities: The University Hospital of Freiburg informed the data protection authority about the breach.
  • 2026-04-18 — Cyberattack occurred: The cyberattack on the service provider, Unimed, took place, leading to data theft.
  • 2026-05-18 — Extent of data breach confirmed: Hospitals confirmed the scale of the data breach affecting tens of thousands of patients.
  • 2026-05-22 — Public announcement of breach: Hospitals publicly announced the breach and began notifying affected patients.

Related entities

  • Data Breach (Attack Type)
  • Uniklinik Freiburg (Company)
  • Uniklinik Heidelberg (Company)
  • Uniklinik Köln (Company)
  • Uniklinik Mannheim (Company)
  • Uniklinik Tübingen (Company)
  • Uniklinik Ulm (Company)
  • Unimed (Company)
  • Universitätskliniken Freiburg (Company)
  • Universitätskliniken Heidelberg (Company)
  • Universitätskliniken Tübingen (Company)
  • Universitätskliniken Ulm (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed