The UNC School of Medicine is notifying an estimated 3,716 people starting Nov. 12 that their personal information may have been compromised in a cyber phishing incident.
An unauthorized third party gained access to several School of Medicine email accounts during the approximate time frame of May 17 to June 18, 2018, according to a review from an independent forensic firm. Information technology security teams are continuing to monitor the systems for unauthorized activity.
The forensic review confirmed that some affected email accounts contained the personal information of patients, possibly related to treatments received by a UNC physician. The incident report from the School of Medicine did not describe exactly how hackers obtained sensitive data.
“Cyber phishing incidents such as these are particularly concerning in the context of healthcare, because healthcare data consists of data bits that are both highly sensitive and personal when it comes to unauthorized access,” said David Behinfar, chief privacy officer of UNC Health Care.
Behinfar said he works separately from the School of Medicine and is not part of the team directly responding to the phishing incident.
The information may have included patients’ names and dates of birth, as well as demographic data such as addresses, health insurance information, health information, Social Security numbers, financial account information and credit card information, according to the incident report.
In response to this incident, the School of Medicine has implemented multi-factor authentication to increase the security of its email accounts and has enhanced employee training on phishing recognition and awareness.
Dennis Schmidt, the UNC chief information security officer, said these increases in security are building on past improvements of the system.
“Since the implementation of 2-Step Verification on email in the Fall of 2018, the University has had only four compromised accounts. At the height of the issue in July 2017, we had over 643 compromised accounts in one month due to phishing,” Schmidt said in a statement. “The results speak for themselves — the impact of 2-Step Verification is significant.”