The University of North Carolina at Chapel Hill School of Medicine (“SOM”) and The University of North Carolina Hospitals (“UNC Hospitals”) are committed to protecting the confidentiality of our constituents’ information. This notice describes an incident that may have involved some of that information.
On February 1, 2024, a University SOM user fell victim to a social engineering attack by clicking on a malicious phishing hyperlink received from a known and trusted contact. The threat actor tricked the user to share the user’s multi-factor authentication code allowing the threat actor to access the user’s University email account. After the University discovered the incident on February 2, 2024, the University secured the impacted email account, began an investigation, and retained a cyber security firm to assist in the investigation. Our investigation confirmed that the unauthorized access was resolved within 24 hours of compromise. We have no indication that any other SOM, University, or UNC Hospitals user email accounts or patient information systems were involved or accessed. We conducted a comprehensive review of the incident and have determined that a message or attachment in the user’s account may have contained some of your information. This information may have included your name, date of birth, diagnosis and treatment information, Driver’s License number, Social Security number, financial account information, and health insurance identification number.
On April 2, 2024, UNC Hospitals and the University began mailing letters to individuals whose information may have been involved in this incident and established a call center to answer individuals’ questions. The University is offering 12-months of credit monitoring services to all impacted individuals whose Driver’s License number, Social Security number, financial account information or health insurance identification number was potentially in scope. If individuals have any questions about this incident, they should call 888-680-6923, Monday through Friday, between 9:00 a.m. and 9:00 p.m., Eastern Time.
To date, we have no indication that any personally identifiable information has been misused. However, we recommend that impacted individuals closely review billing statements they receive from their healthcare providers. If they see any services that they did not receive, they should contact the provider immediately.
We deeply regret any concern or inconvenience this incident may cause. In response to this incident, we are implementing additional email security measures and evaluating University policies to help prevent something like this from happening again.