Active breach tracker Omaha, NE Disclosed April 17, 2026

University of Nebraska Medical Center REDCap Data Breach 2026: 26,937 Research Participants Exposed. Vulnerability Active for 2.5 Years. What To Do

The University of Nebraska Medical Center disclosed in April 2026 that a vulnerability in its REDCap research-data platform allowed unauthorized access between September 2023 and February 2026 — roughly 2.5 years. Names, dates of birth, medical record numbers, clinical info, and (for a subset) Social Security numbers exposed for 26,937 research participants. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 20, 2023

Vulnerability allowed unauthorized REDCap access (start of exposure window)

Feb 1, 2026

Vulnerability discovered; REDCap taken offline; forensics engaged

Feb 18, 2026

Forensic review concludes; application exposure confirmed (data exfiltration could not be determined)

Apr 17, 2026

Public notice posted; HHS OCR filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number (limited subset of REDCap projects)

02

Health records

Don't expire and can't be reissued

Medical record number Clinical information (visit dates, diagnoses, medications, lab results, imaging, procedures)

03

Contact & insurance

Phishing + targeted scams

Full name Home address Phone number Email address Questionnaire responses
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The University of Nebraska Medical Center (UNMC) is the academic medical center anchoring Nebraska Medicine in Omaha — Nebraska’s flagship academic health system, ~800 beds across the system, and home to the federally funded National Quarantine Unit / Biocontainment Unit.

This breach affected REDCap, a research-data platform developed at Vanderbilt and widely used for clinical research, quality-improvement projects, and public-health surveys. In February 2026, UNMC discovered that a vulnerability in its REDCap deployment had allowed remote application access since September 20, 2023 — an exposure window of roughly 2.5 years. UNMC immediately took REDCap offline. The forensic investigation concluded on February 18, 2026 that the application had been exposed during the window but could not determine whether protected information was actually exfiltrated.

UNMC posted public notice on April 17, 2026 and filed with HHS OCR the same day, confirming 26,937 affected individuals. UNMC’s notice states the review of REDCap projects is ongoing and additional individuals may be notified — the count is best treated as interim.

This is a separate incident from the 2020 Nebraska Medicine ransomware breach (~219,000 affected, settled class action).

No threat actor has been named. No leak-site listings tied to UNMC have been identified.

What was potentially exposed

Exposed data varies by REDCap project but could include:

  • Full name, date of birth
  • Home address, phone, email
  • Medical record number
  • Clinical information: visit dates, diagnoses, medications, lab results, imaging or procedure data, questionnaire responses
  • Social Security number for a limited subset of REDCap projects

What UNMC is offering

  • REDCap migrated to an updated release with enhanced logging and security controls
  • Complimentary credit monitoring is being offered only to individuals whose SSNs were identified in affected REDCap projects (not all 26,937)
  • Dedicated call center: (844) 403-4589 (Monday to Friday, 8:00 a.m. to 5:30 p.m. Central)
  • Principal investigators and study contacts have been notified for affected projects

What to do

  1. If you have ever participated in a UNMC or Nebraska Medicine research study, expect a letter. Many research studies span years; the 2.5-year exposure window covers a large slice of UNMC’s research operations.
  2. If your letter says your SSN was involved, enroll in the offered credit monitoring. Otherwise, monitor your accounts.
  3. Place free credit freezes at Equifax, Experian, and TransUnion as a baseline precaution.
  4. Be alert to research-targeted phishing. With study context known to an attacker (visit dates, diagnoses, questionnaire responses), highly tailored scam outreach is realistic.
  5. Stop the ongoing flow of your research data. HealthConsent files restriction requests and FTC HBNR deletion requests for research data flowing to downstream data brokers and pharma-research aggregators.

Note on Nebraska class action liability

Nebraska enacted LB 241 (2024) which limits class-action liability for entities maintaining a reasonable cybersecurity program. This may shape any future litigation.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.