German university hospitals are grappling with a large-scale patient data breach after unknown hackers targeted an external billing service provider used by medical centers across the country, according to statements from several affected medical institutions.

The attack reportedly hit Unimed, a company that handles billing services for privately insured and self-paying patients on behalf of numerous German hospitals. Hospitals said the breach did not compromise their own clinical infrastructure or disrupt patient treatment.

Several university hospitals, including those in Cologne, Freiburg, Heidelberg, Tübingen, Ulm and Mannheim, disclosed Thursday that patient information had been stolen after attackers breached the service provider in mid-April. The scale of the breach varied by hospital.

University Hospital Cologne said nearly 30,000 people were affected. According to the hospital, attackers accessed names, addresses and information about treating physicians. In more than 840 cases, additional health-related information, including communications with the billing provider, was exposed. Bank and payment data was compromised in five cases.

Hospitals in the southwestern German state of Baden-Württemberg also reported significant breaches. Freiburg University Hospital said hackers stole basic personal data from around 54,000 patients and billing information linked to diagnoses or treatments in about 900 cases.

Heidelberg University Hospital said around 11,000 patients were affected, including roughly 2,700 whose billing information may also have been exposed. Ulm University Hospital reported approximately 1,600 affected patients, including about 300 cases involving diagnosis and treatment information.

The hospitals said Unimed processes invoices and treatment-related administrative data for privately insured patients, people with supplemental insurance and self-paying patients, including some international patients. Officials emphasized that patients covered solely through Germany’s statutory public health insurance system were generally not affected.

The affected hospitals said they had halted data transfers to the service provider. Unimed hasn’t yet commented on the attack and did not respond to a request for comment.

The identity of the attackers and the nature of the cyberattack have not been disclosed. No ransomware group or threat actor has publicly claimed responsibility. 

Several hospitals said they were considering legal action against the provider. Heidelberg University Hospital said it had filed a criminal complaint against unknown persons.

“Health data is among the most sensitive data of all. Its theft is a serious infringement on the rights of those affected,” said Frederik Wenz, medical director of Freiburg University Hospital.

“We take this incident very seriously and demand a full investigation from the service provider. We are also examining legal options.”