In February 2026, the University of Nebraska Medical Center (“UNMC”) learned that REDCap, a software application UNMC uses to support research studies, quality improvement projects, and public health activities, had a vulnerability that could allow an unauthorized person to gain remote access to the application.
Upon learning of the vulnerability, UNMC immediately took REDCap offline and initiated an investigation with the support of third-party cybersecurity consultants. On February 18, 2026, UNMC’s investigation determined that its instance of REDCap was subject to unauthorized access between September 20, 2023 and February 3, 2026. The investigation was unable to determine whether any personal information housed in REDCap was actually accessed, though the vulnerability made such access possible. The information housed in REDCap varied by project and by individual, but could include name; identifiers such as date of birth, address, phone number, email address, and/or medical record number; and information created or collected in connection with a research study, such as clinical information, visit dates, diagnoses, medications, laboratory results, imaging or procedure information, questionnaire responses, or other health-related information. For a limited number of projects, Social Security numbers may have been collected and maintained in REDCap.
In an abundance of caution, UNMC is notifying individuals whose personal information is identified in REDCap. Please note that UNMC’s review of the REDCap projects is ongoing, and UNMC will provide notice to additionally-identified individuals upon completion of the review.
While UNMC does not have evidence that information was actually accessed, it is always a good idea to review statements received from healthcare providers and report any unfamiliar services or charges to the issuing entity. In addition, complimentary credit monitoring is being offered to individuals whose Social Security numbers are identified in REDCap.
To help prevent an incident like this from happening again, UNMC migrated to an updated version of REDCap that was released to address the vulnerability. This new version has enhanced logging and security controls enabled. Please note, we have no indication that any other UNMC application or system was impacted; Nebraska Medicine’s clinical systems operate independently from the REDCap application and were also unaffected by this incident.
For questions about this incident, UNMC encourages individuals to contact the dedicated call center at (844) 403-4589 between 8:00 a.m. and 5:30 p.m. Central Time, Monday through Friday, excluding US holidays.