The University and hospitals are still contacting patients about an email data breach.
The University of North Carolina (UNC) at Chapel Hill (the “University”) and The University of North Carolina Hospitals (“UNC Hospitals”) recently faced a data breach, which they announced on their website on September 19th, 2025.
According to their notice, they learned of the data breach on July 24th, 2025. Once it was discovered, the University secured the email account and conducted an investigation. Ultimately, the incident itself was resolved within 15 hours of occurring. UNC reported the breach to the Department of Health and Human Services (HHS), noting that the hospital breach impacted 6,377 individuals while the University breach impacted 799 individuals.
UNC’s notice provided further insight into how the breach took place. The incident was traced back to an email account for a faculty member at the University’s School of Medicine. The faculty member provides both clinical services at the hospitals and also conducts research through their position at the University.
The faculty member fell victim to a social engineering attack by clicking on a malicious phishing link that was sent from a trusted contact. The faculty member was then tricked into providing a multifactor authentication code that allowed the threat actor to access the faculty member’s University email account.
Although the incident occurred only over a few hours, it still impacted patient information. Data involved may have included names, dates of birth, diagnosis and treatment information, driver’s license information, Social Security information, health insurance and financial information, and information related to research studies conducted at UNC Hospitals.
UNC provided significant insight into how the breach took place and was resolved. This information shows the sophistication of phishing attacks and how under the right circumstances, anyone can become vulnerable to these attacks.
While training is a necessary component, the right technology is critical to preventing human errors that lead to breaches. Paubox’s email suite automatically flags suspicious emails for review, ensuring malicious links never make it to employee inboxes. Paubox customers have never experienced a data breach, despite email being a common vector for attack.
Social engineering attacks are threats that use psychological manipulation to trick individuals into revealing sensitive or protected information. These threat actors typically create a sense of urgency or build trust with victims, making them more easy to manipulate.
Multi-factor authentication helps add an additional layer of security to accounts and usually involves individuals entering in a code after their password. This ensures that even if a password is stolen, the account remains secure. However, even if MFA is being used, an account can still be infiltrated under certain circumstances, such as in this case.