UNC Hospitals & School of Medicine Notify Individuals of Email Security Breach

CHAPEL HILL, N.C.--(BUSINESS WIRE)--Today, The University of North Carolina at Chapel Hill School of Medicine (SOM) and The University of North Carolina Hospitals (“UNC Hospitals”) announced that they are mailing letters to some individuals whose information may have been involved in a recent email security breach.

On February 1, 2024, a University School of Medicine (SOM) user fell victim to a social engineering attack by clicking on a malicious phishing hyperlink received from a known and trusted contact. The threat actor mislead the user into sharing the user’s multi-factor authentication code allowing the threat actor to access the user’s university email account.

After the university discovered the incident on February 2, 2024, the university secured the impacted email account, began an investigation, and retained a cyber security firm to assist in the investigation. This investigation confirmed that the unauthorized access was resolved within 24 hours of compromise. UNC Hospitals / UNC SOM has no indication that any other University, School of Medicine, or UNC Hospitals’ user email accounts or patient information systems were involved or accessed.

On April 2, 2024, the university and UNC Hospitals began mailing letters to impacted individuals whose information may have been involved in this incident and established a call center to answer individuals’ questions. If impacted individuals have any questions about this incident, they should call 888-680-6923, Monday through Friday, between 9:00 a.m. and 9:00 p.m., Eastern Time.

To date, UNC Hospitals and the university have no indication that any personally identifiable information has been misused. However, the University is offering 12-months of credit monitoring services to all impacted individuals whose driver’s license number, Social Security number, financial account information, or health insurance identification number was potentially in scope.

UNC Hospitals and the university also recommend that impacted individuals closely review the billing statement they receive from their healthcare providers. If they see any services that they did not receive, they should contact the provider immediately.

UNC Hospitals and the university deeply regret any concern or inconvenience this incident may cause. In response to the incident, the university is implementing additional email security measures and evaluating University policies to help prevent something like this from happening again.