The University of North Carolina at Chapel Hill School of Medicine values the privacy and security of our patients’ information. Regrettably, a cyber phishing incident involving some email accounts used by the UNC School of Medicine may have involved some patient information, possibly including patients’ health and personal information.

A lengthy and extensive review conducted by a leading independent forensic firm that concluded on September 13, 2019, confirmed that an unauthorized third party gained access to several email accounts during the approximate timeframe of May 17, 2018 to June 18, 2018. The review confirmed that the personal information of approximately 3,716 persons was contained in the affected email accounts, possibly related to treatments received when they were seen by a UNC physician.

The information involved may have included patients’ names, dates of birth, demographic data such as addresses, health insurance information, health information, Social Security numbers, financial account information and credit card information. The unauthorized third-party access was limited to the affected email accounts and did not affect medical record systems or patient care systems maintained by UNC Health Care. Information technology security teams continue to monitor relevant systems for unauthorized activity.

While we have no indication that any information has been misused, we began mailing notification letters to patients whose information was in the affected accounts on November 12, 2019. For those patients whose Social Security number was contained in the email accounts, we are offering complimentary credit monitoring and identity protection services. We recommend affected patients review the statements they receive from their health care providers and health insurer. If a patient sees services they did not receive, please contact the provider or insurer immediately.

The UNC School of Medicine takes its obligation to protect patient privacy very seriously and we are sorry that this incident occurred. We sincerely apologize for any stress or worry that this may cause our patients. To help prevent something like this from happening again, we have implemented multi-factor authentication to increase the security of our email accounts and have enhanced our employee training on phishing recognition and awareness.

If you believe you are affected but do not receive a letter before December 15, 2019, please call 1-833-935-1367, Monday through Friday, 9:00 a.m. to 9:00 p.m.