Mid-April 2026 witnessed a targeted cyberattack on Unimed, an external billing service for University Hospital Freiburg, resulting in the theft of data from approximately 54,000 patients. Stolen records included names, birth dates, addresses, and in 900 instances, billing details revealing diagnostic information. Upon detection, the clinic halted data transmissions and notified authorities. Affected individuals now can access Stoll&Sauers free GDPR online assessment to evaluate potential compensation claims under Article 82.
Table of Contents: What awaits you in this article
Targeted Mid-April Cyberattack Hits Unimed Billing Service, Freiburg Reports
According to current findings, the intrusion occurred in mid-April 2026 and specifically targeted Unimed, the external billing service handling private supplementary insurance and self-paying patients for University Hospital Freiburg. Upon discovering the breach, the hospital reported the incident on May 21, 2026, and immediately ceased all data transmissions to the provider. Patient care operations and core clinical systems continued without interruption, ensuring that treatment schedules remained secure and fully functional.
Cyberattack Exposes 54,000 Patients’ Personal Data and Sensitive Billing
According to the hospital, attackers accessed personal files of approximately 54,000 patients, obtaining identifying information such as names, dates of birth, and residential addresses. In roughly 900 instances, the intrusion extended to detailed billing records revealing diagnostic codes and treatment descriptions. Moreover, in a limited number of single-digit cases, financial account information was also compromised. The breach highlights the vulnerability of basic personal data and sensitive health and payment-related records.
Freiburg Hospital Reports Breach To Authorities, Suspends Unimed Transfers
Immediately upon identifying the security breach on April 16, 2026, the University Medical Center Freiburg notified both the relevant state data protection authority and the Federal Office for Information Security (BSI). The institution halted all data transfers to its billing service provider, Unimed, pending a thorough assessment. The clinic is evaluating potential criminal and data protection legal actions against the vendor to ascertain accountability and secure patient information from misuse.
Ulm, Heidelberg, Tübingen Clinics Under Cyberattack Affecting 71k Patients
According to media coverage, the University Clinics in Ulm, Heidelberg, and Tübingen have also been subjected to comparable cyberattacks that resulted in the compromise of personal data of up to 71,000 patients. Variations in the numbers reported across different press outlets indicate that the precise extent of affected individuals remains unclear and may evolve during ongoing investigations. This discrepancy underscores the challenges in consolidating reliable statistics following large-scale data breaches.
GDPR classifies health data as highly sensitive personal information
Under the GDPR, health-related information belongs to the protection category of personal data, requiring appropriate safeguards and handling protocols. Detailed billing records may inadvertently disclose diagnostic conclusions, therapeutic interventions, and medical procedures received by individuals. Exposure of such combined clinical and financial records through a security breach can facilitate various malicious activities including potential identity theft, targeted phishing schemes, extortion attempts, and loss of control over highly sensitive patient privacy.
GDPR Article 82 enables claims for non-material damage compensation
Under Article 82 of the GDPR, data subjects are entitled to seek compensation for non-material harms resulting from data breaches, including anxiety, distress, or loss of autonomy. The Court of Justice of the European Union and Germanys Federal Court of Justice have affirmed that deprivation of informational self-determination qualifies as a compensable injury, regardless of any economic loss. This reinforces the recognition of intangible rights in the data protection framework.
Stoll&Sauer offers free GDPR-check instant claim assessment with guidance
Stoll & Sauer law firm provides a free GDPR compliance assessment through an online platform designed to deliver initial insights into potential claims for data breach compensation. By completing a questionnaire, users can quickly determine whether they have grounds for pursuing damages under Article 82. The service also outlines liability considerations, suggests organisational and technical safeguards to improve data protection, and offers guidance on legal procedures without any financial commitment.
The GDPR Online Check provided by Stoll & Sauer offers individuals affected by cyber-induced data breaches a swift and cost-free initial evaluation of their potential legal claims. By clearly delineating responsibilities, assessing possible risks, and proposing concrete steps, the service equips patients with expert guidance. This resource enables them to pursue compensation claims efficiently while simultaneously outlining best practices to strengthen data security and reduce the likelihood of unauthorized disclosures.
