Cyber Incident Victim: University of North Carolina School of Medicine

Between May 17, 2018, and June 18, 2018, employees at the University of North Carolina at Chapel Hill School of Medicine fell victim to a phishing attack that compromised their email accounts. The attackers gained unauthorized access to these accounts during this period, though the exact number of affected employees remains unspecified. The breach remained undetected for over a year until September 13, 2019, when investigators confirmed both the account intrusions and the presence of protected health information (PHI) and personally identifiable information (PII) within the compromised mailboxes. The exposed data encompassed patient names, dates of birth, addresses, health insurance details, medical information, Social Security numbers, financial account data, and credit card information. This incident impacted 3,716 patients whose sensitive information resided in the breached email accounts.

The University initiated patient notifications on November 12, 2019, disclosing the 16-month delay between the phishing incident and confirmation of data exposure. No details regarding containment measures, forensic methodologies, or system remediation efforts were provided in the public notification. The compromised data types created significant risks for identity theft, financial fraud, and medical privacy violations for affected individuals. UNC did not specify whether credit monitoring or identity protection services were offered to victims. The disclosure highlighted vulnerabilities in email security practices and the prolonged timeframe required to detect and investigate the breach despite its phishing origins.