University of Nebraska Medical Center REDCap Data Breach 2026: 26,937 Research Participants Exposed. Vulnerability Active for 2.5 Years. What To Do
The University of Nebraska Medical Center disclosed in April 2026 that a vulnerability in its REDCap research-data platform allowed unauthorized access between September 2023 and February 2026 — roughly 2.5 years. Names, dates of birth, medical record numbers, clinical info, and (for a subset) Social Security numbers exposed for 26,937 research participants. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 20, 2023
Vulnerability allowed unauthorized REDCap access (start of exposure window)
Feb 1, 2026
Vulnerability discovered; REDCap taken offline; forensics engaged
Feb 18, 2026
Forensic review concludes; application exposure confirmed (data exfiltration could not be determined)
Apr 17, 2026
Public notice posted; HHS OCR filing
Sep 20, 2023
Vulnerability allowed unauthorized REDCap access (start of exposure window)
Feb 1, 2026
Vulnerability discovered; REDCap taken offline; forensics engaged
Feb 18, 2026
Forensic review concludes; application exposure confirmed (data exfiltration could not be determined)
Apr 17, 2026
Public notice posted; HHS OCR filing
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
The University of Nebraska Medical Center (UNMC) is the academic medical center anchoring Nebraska Medicine in Omaha — Nebraska’s flagship academic health system, ~800 beds across the system, and home to the federally funded National Quarantine Unit / Biocontainment Unit.
This breach affected REDCap, a research-data platform developed at Vanderbilt and widely used for clinical research, quality-improvement projects, and public-health surveys. In February 2026, UNMC discovered that a vulnerability in its REDCap deployment had allowed remote application access since September 20, 2023 — an exposure window of roughly 2.5 years. UNMC immediately took REDCap offline. The forensic investigation concluded on February 18, 2026 that the application had been exposed during the window but could not determine whether protected information was actually exfiltrated.
UNMC posted public notice on April 17, 2026 and filed with HHS OCR the same day, confirming 26,937 affected individuals. UNMC’s notice states the review of REDCap projects is ongoing and additional individuals may be notified — the count is best treated as interim.
This is a separate incident from the 2020 Nebraska Medicine ransomware breach (~219,000 affected, settled class action).
No threat actor has been named. No leak-site listings tied to UNMC have been identified.
What was potentially exposed
Exposed data varies by REDCap project but could include:
- Full name, date of birth
- Home address, phone, email
- Medical record number
- Clinical information: visit dates, diagnoses, medications, lab results, imaging or procedure data, questionnaire responses
- Social Security number for a limited subset of REDCap projects
What UNMC is offering
- REDCap migrated to an updated release with enhanced logging and security controls
- Complimentary credit monitoring is being offered only to individuals whose SSNs were identified in affected REDCap projects (not all 26,937)
- Dedicated call center: (844) 403-4589 (Monday to Friday, 8:00 a.m. to 5:30 p.m. Central)
- Principal investigators and study contacts have been notified for affected projects
What to do
- If you have ever participated in a UNMC or Nebraska Medicine research study, expect a letter. Many research studies span years; the 2.5-year exposure window covers a large slice of UNMC’s research operations.
- If your letter says your SSN was involved, enroll in the offered credit monitoring. Otherwise, monitor your accounts.
- Place free credit freezes at Equifax, Experian, and TransUnion as a baseline precaution.
- Be alert to research-targeted phishing. With study context known to an attacker (visit dates, diagnoses, questionnaire responses), highly tailored scam outreach is realistic.
- Stop the ongoing flow of your research data. HealthConsent files restriction requests and FTC HBNR deletion requests for research data flowing to downstream data brokers and pharma-research aggregators.
Note on Nebraska class action liability
Nebraska enacted LB 241 (2024) which limits class-action liability for entities maintaining a reasonable cybersecurity program. This may shape any future litigation.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- UNMC: Notice of REDCap Data Security Incident
- Nebraska AG Breach Public Search
- Koley Jessen: Nebraska Class-Action Limitation Law (LB 241)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.