Notice of Security Event
RE: Notification of Privacy Incident
UNC Health is committed to providing superior health care services to our patients and takes very seriously our obligation to protect the privacy of their information. We are writing to make patients aware of an error in our medical record system that may have allowed an individual who is not the patient, and who is not authorized to have access to the patient’s billing records, to access limited billing information about some patients in our system.
The fields we use to support our billing functions for clinical services received at UNC Health facilities include a field where the name of an individual who is authorized to have access to certain billing information for a patient may be inserted (the “Field”). Typically, when the patient is an adult, the Field is completed with the patient’s name and information. However, if a member of the patient’s family (ex: a parent or guardian) is authorized to have access to the patient’s billing records, the name of the family member may be inserted in the Field instead.
On September 9, 2021, we initiated an internal review of the use of the Field and found that in 946 cases we were unable to confirm the relationship between the patient and the individual named in the Field. It is possible that the individual named in the Field is in fact a relative or another person who has appropriate access to the patient’s billing information. However, because we are not able to conclusively determine that the individual named in the Field had appropriate access to billing information in the patient’s account, we providing those individuals with notice to make them aware of this issue.
The individual listed in the Field may have viewed certain billing information related to the patient. This information includes demographic information (such as patient name and address) and limited clinical information (such as dates of service and a brief description of the services provided on those days) as well as information about the charges and payments related to these services. This information does not include credit card, debit card, or bank account numbers, driver’s license numbers, insurance identification numbers, Social Security numbers, or any other numbers or information that can be used to access the patient’s financial resources. Accordingly, we have no reason to believe that the patient is or will be at financial risk as a result of this issue.
In response to this issue, we have reset the Field so that anyone who was listed in the Field will no longer have access to the patient’s billing information. Should the patient like the individual who was listed in the Field to continue to have access to the patient’s billing information, the person who had been listed in the Field will need to apply for proxy access to the patient’s My UNC Chart account by clicking the orange “Get Started” button on this page: http://www.myUNCchart.org/. The patient (or their parent/guardian) will be asked to approve that access before it will be granted. Additionally, we have changed our electronic medical records system to limit the staff members who have access to update the Field and have re-trained the staff members who will continue to have access to update the Field.
UNC Health is committed to protecting the privacy and security of patient information and has developed and implemented numerous safeguards in furtherance of this commitment. These safeguards include the implementation of privacy policies and procedures, an audit program, and privacy education and training for the UNC Health workforce. Further, we believe the steps being taken in response to this issue, described above, combined with the foregoing safeguards, will prevent a similar issue from recurring.
Should you have questions or should you wish to discuss this further, please do not hesitate to contact our office at (984) 974-1069 or toll-free at (833) 407-6257 weekdays between the hours of 9AM to 5PM EST.