The University of North Carolina (UNC) at Chapel Hill School of Medicine notified 3,716 persons whose information may have been affected in a cyber phishing incident.
A forensic firm conducted a review that concluded on Sept. 13, 2019, and confirmed that an unauthorized third party gained access to several email accounts during the approximate timeframe of May 17, 2018, to June 18, 2018. The review confirmed that some patients’ personal information was contained in the affected email accounts, possibly related to treatments received when they were seen by a UNC physician.
The information involved may have included patients’ names and dates of birth, and demographic data such as addresses, health insurance information, health information, Social Security numbers, financial account information and/or credit card information. The unauthorized third-party access was "limited to the affected email accounts and did not impact medical record systems or patient care systems maintained by UNC Health Care. Information technology security teams continue to monitor relevant systems for unauthorized activity," says the UNC School of Medicine.
For patients whose Social Security number was contained in the email accounts, UNC School of Medicine is offering complimentary credit monitoring and identity protection services for patients whose Social Security numbers were contained in the email accounts.
In addition, UNC School of Medicine says it has implemented multi-factor authentication to increase security of its email accounts and enhanced employee education and training on phishing recognition and awareness to prevent another ransomware incident.