The Daily Tar Heel
Printing news. Raising hell. Since 1893.
Thursday, Feb. 22, 2024 Newsletters Latest print issue

We keep you informed.

Help us keep going. Donate Today.
The Daily Tar Heel

School of Medicine phishing incident raises security concerns


The UNC School of Medicine announced on Nov. 12, 2019 that it will be sending notification letters to an estimated 3,716 people who may have been affected by a cyber phishing incident with some School of Medicine email accounts. 

The UNC School of Medicine is notifying an estimated 3,716 people starting Nov. 12 that their personal information may have been compromised in a cyber phishing incident.

An unauthorized third party gained access to several School of Medicine email accounts during the approximate time frame of May 17 to June 18, 2018, according to a review from an independent forensic firm. Information technology security teams are continuing to monitor the systems for unauthorized activity.

The forensic review confirmed that some affected email accounts contained the personal information of patients, possibly related to treatments received by a UNC physician. The incident report from the School of Medicine did not describe exactly how hackers obtained sensitive data. 

“Cyber phishing incidents such as these are particularly concerning in the context of healthcare, because healthcare data consists of data bits that are both highly sensitive and personal when it comes to unauthorized access,” said David Behinfar, chief privacy officer of UNC Health Care.

Behinfar said he works separately from the School of Medicine and is not part of the team directly responding to the phishing incident. 

The information may have included patients’ names and dates of birth, as well as demographic data such as addresses, health insurance information, health information, Social Security numbers, financial account information and credit card information, according to the incident report.

In response to this incident, the School of Medicine has implemented multi-factor authentication to increase the security of its email accounts and has enhanced employee training on phishing recognition and awareness.

Dennis Schmidt, the UNC chief information security officer, said these increases in security are building on past improvements of the system.

“Since the implementation of 2-Step Verification on email in the Fall of 2018, the University has had only four compromised accounts. At the height of the issue in July 2017, we had over 643 compromised accounts in one month due to phishing,” Schmidt said in a statement. “The results speak for themselves — the impact of 2-Step Verification is significant.”

The Institutional Privacy Office, part of UNC Information Technology Services, declined to comment on the recent incident.

For patients whose Social Security number was contained in the email accounts, the school is offering complimentary credit monitoring and identity protection services, according to the incident report. Additionally, the school recommends that affected patients review the statements they receive from their health care providers and health insurer to ensure they are accurate.

“The UNC School of Medicine does a great job with ensuring the security and privacy of the information they are maintaining,” Behinfar said. “I’m sure this incident will give them greater opportunities to educate their workforce on the importance of being vigilant when it comes to cybersecurity.”

Behinfar said it’s critical to ensure that healthcare workers across the nation, ranging from healthcare providers to general staff, understand how important it is to recognize and take the time to read through what may be a suspicious email address.

Behinfar said the UNC Health Care system also implements two-factor authentication, as well as annual security training and phishing campaigns, in which the security office sends out what looks like phishing emails to make sure the workers aren’t fooled.

Email addresses are all over the place, and anyone can go online and obtain them through public internet searching, he said.

“The public needs to understand that emails are widely available to a lot of different people, and you can’t assume that your email information will be kept private — your email will never be private,” he said. “Where the user is at fault is when they click on a message or open an attachment when they shouldn’t, and they need to recognize when an email is suspicious.”

When the user clicks on an attachment, he said, that’s what downloads malicious software or content, deriving from what they clicked on and linking to their personal information.

UNC computer science professor Michael Reiter described one dangerous phishing situation that can occur, in which people can be tricked into entering their email address and password into a fake website. That information can be captured and used to access the person’s email account later, he said. 

Behinfar also described past situations of hackers taking over an email address and using it to change the mailing address of where the user receives their payroll checks. The hacker can also change the financial bank account information to an “updated address” to eDeposit payroll checks without the user noticing, he said.

Other than using emails for financial gain, he said it may just be that the hacker wants to use the email addresses to send out thousands of spam messages and have no intention of using personal data.

“It’s never really clear what the motive of the hacker is,” he said.

To get the day's news and headlines in your inbox each morning, sign up for our email newsletters.

Behinfar suggested proceeding with caution when opening emails from unknown senders, and hovering over attached links so you can read over the web address it links to. You can often tell if it’s malicious or inappropriate content, he said, rather than from your bank or another trusted sender.

“The public needs to understand that downloading attachments is always a risky business,” he said. “You should never open something unless you are absolutely sure you know who is sending the message.”