Notice of a Data Security Incident
The University of North Carolina at Chapel Hill School of Medicine (“SOM”) and The University of North Carolina Hospitals (“UNC Hospitals”) are committed to protecting the confidentiality of our patients’ information. This notice describes an incident that may have involved some of that information.
On May 20, 2021, we learned that an unauthorized person may have gained access to a SOM faculty member’s email account. This SOM faculty member provides clinical services at the UNC Hospitals. We secured the impacted email account, began an investigation, and a cyber security firm was engaged to assist in our investigation. Our investigation confirmed that the unauthorized access was isolated and limited to April 20, 2021. We have no indication that any other SOM or UNC Hospitals user email accounts or patient information systems were involved or accessed. We conducted a comprehensive review of the contents of the email account, and we have determined that messages or attachments may have contained some patient information, including patients’ names, dates of birth, diagnosis and treatment information related to care patients received from UNC Hospitals, and/or information about a research study patients may have been involved in or eligible for at UNC Hospitals/SOM. Health insurance information was identified for less than 30 patients and Social Security numbers for less than 10 individuals.
On July 19, 2021, we began mailing letters to patients whose information may have been involved in this incident and established a call center to answer patients’ questions. If patients have any questions about this incident, they should call 1-855-545-1984, Monday through Friday, between 9:00 a.m. and 6:30 p.m., Eastern time.
To date, we have no indication that patient information has been misused. We recommend that patients closely review the billing statement they receive from their healthcare providers. If they see any services that they did not receive, they should contact the provider immediately.
We deeply regret any concern or inconvenience this incident may cause. In response to this incident, we are implementing additional email security measures and providing additional training to our workforce members on how to identify and avoid phishing emails to help prevent something like this from happening again.