After the unimed Incident: What Hospitals Should Now Demand from Their Data Service Providers
Over 120,000 patient records exfiltrated at a billing service provider; one hospital is demanding damages. The facts of the unimed incident — and the checklist that follows from them.

Dr. Sven Jungmann
CEO

On April 14, 2026, ransomware attackers struck unimed Abrechnungsservice für Kliniken und Chefärzte GmbH, one of Germany's largest service providers for private-practice physician billing. According to the company, encryption of the systems was prevented; before that, however, data was exfiltrated from what the company described as a "narrowly confined area" [1]. What followed has occupied German hospitals ever since.
The facts, as of mid-July 2026
According to the combined disclosures of the hospitals involved, more than 120,000 patient records from around ten hospitals are affected, including several university hospitals: Freiburg reported around 54,000 affected individuals, Cologne around 30,000, Heidelberg around 11,000, plus — among others — UKSH, UKE, Mannheim, Mainz, Ulm, and Homburg [2, 3]. Exfiltrated were master data, billing data — from which diagnoses and treatments can be inferred —, correspondence on billing disputes, and in individual cases bank account details [2]. According to research by the broadcaster NDR, around 1,500 records contained excerpts from patient files including diagnoses [3]. The Saarland state criminal police office is investigating; public notification of those affected began around five weeks after the attack, which drew pointed criticism in the professional community [3, 4].
The municipal hospital of Pirmasens, with roughly 1,500 affected records, is now demanding damages from the service provider and is examining legal action [5]. No filed lawsuit is known so far; several hospitals have filed criminal complaints and severed their data connections to the provider [4].
Two things belong to the honesty of this summary. First: according to its own statements, unimed informed the security authorities within two days, and it states that there is no evidence the data has been published [1]. Second: an incident of this kind can, in principle, happen to anyone. The useful response is a checklist.
The real lesson: your service provider is part of your attack surface
Under data protection law, the hospital remains responsible to its patients — even when it is the processor that gets attacked [6]. The incident has shifted the industry debate accordingly: away from the question "Is the vendor certified?" toward the question "What data does it hold in the first place, and why?". In the discussion around the German implementation of NIS2, service providers have moved into focus as possible entry gates for attackers [4].
The unimed case illustrates a structural problem of classic outsourcing: for private-practice billing, parts of patient files travel to the service provider, physically or digitally — master data, diagnoses, correspondence, sometimes over years. Every one of these copies is a second place where the same health data can be stolen. The question to ask any service provider — billing, documentation, AI — is therefore not only how well it protects itself, but how much it holds.
Seven requirements for any reassessment
Anyone reviewing contracts or exploring alternatives after the incident should, in our view, insist on seven points:
- Demonstrable data minimization: the provider can state, per process step, which data categories it receives — and what it explicitly does not receive.
- Processing exclusively in the EU, with named subprocessors and no tacit third-country transfers.
- Deletion proofs: defined retention periods and auditable proof of actual deletion.
- A current, externally audited security certificate at the level of the service itself — for aiomics, that is ISO 27001, certified by TÜV Nord.
- Notification paths in the contract: concrete deadlines and channels for when things go wrong — five weeks until notification is the counterexample.
- No training of AI models on your data, as a contractual clause.
- Architecture over trust: access that is technically impossible does not need to be promised — ask which commitments the system itself enforces.
We have compiled a detailed contract checklist for AI service providers in a separate article: Die AVV für Klinik-KI: zehn Punkte, an denen Verträge scheitern — the data processing agreement (AVV) for hospital AI: ten points where contracts fail (in German).
Where aiomics belongs in this picture — and where it does not
For completeness: aiomics is not a classic billing service provider and does not present itself as a replacement for factoring or collections. aiomics is the verification layer on top of hospital IT — it reads incoming documents, checks every statement against the source, and provides the hospital with an evidenced, structured record for admission, the Falldialog (the pre-review case dialogue with payers), and billing preparation. The data stays in an EU environment; transmission to payers remains with the hospital's own system. For elective-physician billing, we are currently trialing, together with an established billing partner, an offering built on exactly these principles — data minimization, EU processing, verifiable deletion. It is in trial use, and we will not call it anything else until it deserves the name.
Today, aiomics is in use in German rehab clinics; its accuracy is being independently evaluated at Charité. If, after the unimed incident, you are reorganizing your service provider landscape and want a second opinion on data architecture, write to us — even if no aiomics product comes out of it in the end.
Sources
- unimed GmbH. Pressemitteilungen vom 22.05. und 29.05.2026. unimed.de/presse.
- Heise online. Bericht zum Cyberangriff auf den Abrechnungsdienstleister unimed, 22.05.2026. heise.de.
- Zusammengeführte Berichterstattung zum Umfang des Vorfalls, u. a. drweb.de sowie borncity.com (22.05.2026); NDR-Recherchen zu Aktenauszügen dort zitiert.
- kma Online. Berichterstattung zum unimed-Vorfall und zur NIS-2-Debatte (Beiträge 55722 und 55760), u. a. 04.06.2026. kma-online.de.
- Die Rheinpfalz. Bericht zur Schadenersatzforderung des Städtischen Krankenhauses Pirmasens, 07.07.2026. rheinpfalz.de.
- Universitätsklinikum Düsseldorf. Pressemitteilung zum Datenabfluss beim ehemaligen externen Abrechnungsdienstleister. uniklinik-duesseldorf.de; zur Verantwortlichkeit: Art. 4 Nr. 7, Art. 28 DSGVO.
Sources retrieved in July 2026. Figures on affected individuals reflect the reporting status of mid-July 2026 and may change as the incident is further investigated.
Reporting status: July 15, 2026. Details of the incident are based on the cited sources; aiomics has no business relationship with unimed GmbH.


