A phishing attack on the University of North Carolina Chapel Hill School of Medicine resulted in the potential access of the protected health information (PHI) of 3,716 patients by unauthorized persons.
A third-party forensics experts’ investigation confirmed the compromise of a few employee email accounts from May 17, 2018 to June 18, 2018. It is not clear when the detection of the security breach first occurred.
The email messages and attachments in the compromised accounts contained information that differed from one patient to another. But the patient information may have included names, demographic data, birth dates, Social Security numbers, medical insurance data financial account details and credit card numbers.
UNC Chapel Hill School of Medicine notified the affected people on November 12, 2019 and offered free credit monitoring and identity theft protection services to those whose Social Security numbers were potentially exposed.
The University also implemented multi-factor authentication and gave further training to the personnel about cybersecurity and phishing.
Phishing Attack on Starling Physicians
A phishing attack on Starling Physicians P.C. in Connecticut resulted in the potential compromise of the personal and health data of some patients. The attack on the physician group happened on February 8, 2019. A third-party forensics company conducted a breach investigation to assess the nature and extent of the attack. There were three email accounts of employees that were compromised.
On September 12, Starling Physicians stated that the information contained in the compromised email accounts included names, addresses, birth dates, passport numbers, Social Security numbers, medical insurance details, billing data, and medical data of some patients. There’s no mention when the group discovered the phishing attack.
The affected patients received notification letters on November 12, 2019. Patients who had potentially compromised their Social Security numbers were offered free credit monitoring and identity theft protection services.
The exact number of affected patients is currently uncertain. However, the group’s spokesperson said that the incident affected less than 0.01% of active patients.