Notice of Data Security Event

April 3, 2023

UNC Health Rex and its affiliate hospitals are committed to providing its patients with superior health care services and takes very seriously its obligation to protect the privacy of all patient information. On February 2, 2023, we discovered that patient emergency medical transport (EMT) records from emergency transports for certain patients admitted to one of six UNC Health Rex affiliate hospitals were filed in the medical records of another patient in error.  We have corrected this error and have no reason to believe that any patient information has or will be compromised or misused.  But we want to make affected patients aware of this occurrence and how we are addressing it.

Patients of the following UNC Health affiliate hospitals have been affected:

  1. University of North Carolina Hospitals at Chapel Hill (UNC Hospitals)
  2. Margaret R. Pardee Memorial Hospital
  3. Johnston Health Services Corporation dba UNC Health Johnston
  4. Nash Hospitals, Inc.
  5. Chatham Hospital, Incorporated
  6. Rex Healthcare, Inc.

What Happened

Upon arrival to one of the above referenced hospitals, county EMT personnel completed the patient’s EMT record in its own electronic medical records system and incorrectly included a unique health care number that matched a different patient.  The EMT record was then sent to the hospital’s electronic medical record system, Epic@UNC.  Because this incorrect number matched another patient’s Epic@UNC record, the EMT record was uploaded to that patient’s Epic@UNC record in error.

Depending on the individual patient, the EMT record contained one or more of the following data elements: the patient’s name and demographic information,  driver’s license and social security numbers, health insurance information, medical treatment and diagnosis information, information about the medical condition for which the patient received emergency medical transport, the date of the emergency medical transport, the identities of the emergency medical treatment personnel, and information about the admitting hospital.

What We Are Doing To Address This Incident

We conducted a thorough investigation into this matter.  We identified the cause of the error, the patients who were affected by the error, and the ways to correct it and prevent it from happening again.

We removed the patient’s EMT record from the other patient’s Epic@UNC record.  We are also taking steps to ensure that the patient’s EMT record is properly included in his or her own medical record in our Epic@UNC medical record system.   

Additionally, as part of our investigation, we also discovered that when the other patient’s record was made available to other healthcare entities, that health care providers at these other facilities may have viewed the patient’s EMT record when viewing the Epic@UNC records of the other patient.  These health care providers may also have downloaded the EMT record into their own electronic medical records for the other patient.   We are making every effort to (1) identify the other facilities whose providers viewed or downloaded the EMT record during the time it was attached to another patient’s records, (2) notify them that the EMT record was attached to the other patient’s record in error, and (3) request that they delete any download of the EMT record from their medical records systems. 

Lastly, we have taken steps to make sure that this error does not happen again.  For example, we added more requirements for uploading an EMT record to Epic@UNC.  These requirements will help catch incorrect information in the EMT record before the EMT record is uploaded to a patient’s Epic@UNC record. 

Individuals potentially affected by this incident are being mailed written notices. Since contact information may be insufficient for some individuals, this substitute notice is being posted on the web pages of each of the six affected UNC Health affiliate hospitals and will remain active for at least 90 days.

Steps Patients have Been Encouraged To Take

UNC Health and its affiliate hospitals are providing additional information on general steps individuals can take to monitor and help protect their personal information by contacting the credit bureaus listed below. Although we are unaware of any actual or attempted misuse of patient information as a result of this incident, individuals should carefully review credit reports and statements sent from providers, as well as their insurance company, to ensure that all account activity is valid. Any questionable charges should be promptly reported to the company which maintains the account.

Free Credit Monitoring Offered to All Affected Patients Who Received a Written Notice

All individuals receiving a written mailed notice are being offered 1 year of free credit monitoring.  Individuals who receive notices by mail have been provided a unique code and instructions on how to activate their free credit monitoring.

Additional Steps Affected Patients Can Take

It is important for affected patients to continue to review their financial account statements and health insurance communications (such as explanations of benefits), and monitor their credit reports. Should affected patients wish to review and monitor their credit, they can obtain copies of their credit reports, place a fraud alert on their credit report or request a security freeze by contacting any one of the three major credit bureaus listed below:

Equifax

Experian

TransUnion

888.836.6351

PO Box 740241

Atlanta, GA 30374

www.equifax.com

1.888.397.3742

P.O. Box 9554

Allen, TX 75013

www.experian.com

888.909.8872

PO Box 6790

Fullerton, CA 92834

www.transunion.com

As soon as one credit bureau confirms a fraud alert, the other two main credit bureaus are then automatically notified and will also place fraud alerts on the individual’s credit file. All three bureaus will then send a credit report to the individual, free of charge. Under North Carolina law, individuals also have the option of instituting a free “security freeze” on their credit file. A security freeze locks an individual’s  credit file so that no one will be able to access the individual’s data (or improperly open an account in the individual’s name) without the individual’s permission.

For more information about preventing identity theft you may contact:

US Federal Trade Commission

North Carolina Attorney General’s Office

Telephone: 1.877.382.4357

Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

www.ftc.gov

Telephone: 1.919.716.6000

Attorney General’s Office

9001 Mail Service Center

Raleigh, NC 27699-9001

www.ncdoj.gov

Questions

UNC Health Rex and its affiliated hospitals have established a call center for people who have questions or are seeking additional information regarding this matter.  Individuals with questions may call us at (984) 974-1069 or at our toll-free number 1-833-407-6257 from 9:00 a.m. – 5:00pm est., Monday through Friday, except major US holidays.

UNC Health Rex and its affiliate hospitals are committed to protecting the privacy and security of personal information and deeply regrets any inconvenience and concern this incident may cause.