1. Home
  2. States
  3. North Carolina

North Carolina

A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, stolen, viewed, or used by an unauthorized entity. This can include a wide range of information, such as personal, business, government, or financial data. Data breaches can occur in various ways, including unintentional disclosure, hacking, insider threat, or physical theft. Data breaches lead to severe consequences for the affected entities.

Unfortunately, North Carolina is one of the most affected states, ranking seventh in the United States. These attacks include DDOS attacks, phishing scams, password hacking, and fake wireless access points. In 2022, there were more than 1,900 data breaches reported by organizations in North Carolina. The figures rose the next year to 2,033 incidences, affecting 4.9 million people. Most of the breaches that occur in the state are also medical-related, as illustrated in the following section.

Identity Theft Statistics

Identity Theft
Reports
13TH
State Rank (Reports per 100K Population)
18,584
Identity Theft Reports
Fraud & Other
Reports
14TH
State Rank (Reports per 100K Population)
67,350
Total Fraud & Other Reports
Fraud
Losses
$31.6M
Total Fraud Losses
$300
Median Fraud Losses

Top Ten Report Categories

Identity Theft
22%
Imposter Scams
18%
Credit Bureaus, Iformation Furnishers and Report Users
7%
Telephone and Mobile Services
6%
Prizes, Sweepstakes and Lotteries
5%
Banks and Lenders
5%
Online Shopping and Negative Reviews
5%
Debt Collection
4%
Auto Related
4%
Internet Services
2%

Top Identity Theft Types

36%
13,213
Other Identity Theft
31%
11,399
Credit Card Fraud
11%
4,111
Bank Fraud
11%
3,942
Loan or Lease Fraud
6%
2,106
Phone or Utilities Fraud
5%
1,682
Employment or Tax-Related Fraud
2%
742
Government Documents or Benefits Fraud

North Carolina's Recent Biggest Data Breaches

2023
May

Nuance

On May 31, 2023, Progress Software experienced a data security breach due to a zero-day vulnerability in its MOVEit secure file transfer software. This breach affected various organizations, including Nuance, a healthcare software provider that utilizes MOVEit for file exchange. In response, Nuance promptly secured its systems and initiated an investigation with cybersecurity experts and legal advisors. The breach, which occurred on May 28-29, 2023, specifically impacted the MOVEit Transfer application.

2022
October

WakeMed Health and Hospitals

WakeMed Health and Hospitals in North Carolina notified the Department of Health and Human Services on October 14 about a breach affecting nearly half a million individuals. The breach involved unauthorized access and disclosure of certain data, including phone numbers, email addresses, COVID-19 vaccination status, and appointment details. It occurred through the Facebook "pixel", a bit of tracking code that sends users' data to meta when they click a button for services through their platform. WakeMed installed the tracking pixel provided by Facebook on its website and the WakeMed MyChart patient portal. In response, one of the patients, Trace Weddle, filed an ongoing suit against the organization for failing to satisfy their fiduciary duties.

2022
May

EmergeOrtho

On May 18, EmergeOrtho, based in Durham, N.C., informed 75,200 patients that unauthorized individuals might have accessed some of their private health information. They discovered and stopped a ransomware attack on their computer systems that day. An investigation ending on August 19 found that hackers had gotten into files with patients' names, addresses, financial details, birthdates, Social Security numbers, and, in some cases, medical data. Most affected patients live in the Coastal region.

2022
March

Carolina Behavioral Health Alliance, LLC

On March 20, 2022, Carolina Behavioral Health Alliance, LLC, was alerted to and successfully thwarted a sophisticated ransomware attack, preventing an unauthorized third party from compromising their computer systems. Immediate action was taken as third-party forensic firms were engaged to fortify the network environment and ascertain the extent of unauthorized access. The investigation determined that the unauthorized party may have accessed certain individuals' personal information on March 19 and 20, 2022.

2021
December

Radiology Specialists, Inc

An unauthorized party accessed the Radiology Ltd. network between December 17 and December 24, 2021. The investigation conducted by the practice revealed that sensitive patient information was accessible to the unauthorized party—the breach impacted 87,552 individuals. This incident was reported on February 18, 2022.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Unfamiliar
Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
Sign-in to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach

01

Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.

02

Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.

03

Contain the Breach

Isolate the affected system to prevent further damage.

04

Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.

05

Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.

06

Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.

07

Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.

08

Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.

09

Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.

10

Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

Every organization or business in North Carolina is responsible for putting up security measures to protect their clients' data. If they suffer a data breach, they must report the incident to the Department of Justice. Failure to which the Department of Justice will conduct investigations. Businesses are required to notify consumers if there are data breaches, regardless of the number of individuals affected.

A data breach includes unauthorized access and acquisition, which refers to obtaining unencrypted and unredacted records or data containing personal information without permission. This can lead to illegal use of personal data or pose a risk of harm to consumers. Exclusions may apply for certain acquisitions made in good faith.

Personal Information (PI) includes:

  1. First Name or Initial and Last Name
  2. Social Security Numbers
  3. Financial Account Numbers
  4. Driver's License Numbers
  5. Passport Numbers
  6. PINs
  7. Digital Signatures, Biometric Data
  8. Email Addresses
  9. Electronic ID Numbers
  10. Internet Account Information

However, PI doesn't include information individuals have agreed to make public, such as their name, address, and telephone number in directories. It also excludes data that are legally available to everyone from government records.

Notification timing should occur promptly, without undue delay. This process should be consistent with any measures necessary to determine adequate contact information, assess the breach's extent, and reinstate the data system's reasonable integrity, security, and confidentiality.

Any third party maintaining personal information for another entity is responsible for notifying the company affected of a breach of their data immediately after it discovers a breach.

Laws

  • N.C. Gen. Stat. §§ 75-61, 75-65 applies to businesses operating in North Carolina that either own or license personal information of North Carolina residents or conduct business in North Carolina and possess personal information, regardless of ownership or licensing.
  • Any organization subject to the statute must notify the impacted individual upon discovering or being informed of a security breach.
  • According to the Identity Theft Protection Act, the affected individuals must be notified immediately of the breach without further delay.

You can notify by telephone, written notice, or electronic notice. The notice must be visible and should contain the following details:

  1. Overview of the incident
  2. Specification of the personal information (PI) affected by the unauthorized access and acquisition
  3. Outline of the measures undertaken by the business to prevent further unauthorized access to PI
  4. Contact number for the business for further inquiries and assistance, if available
  5. Guidance advising individuals to stay vigilant by scrutinizing account statements and monitoring complimentary credit reports
  6. Contact details and addresses for major consumer reporting agencies provided toll-free

Additionally, businesses can send a substitute notice if over 500,000 people were affected or if the notification would cost over $250,000. This rule also applies in cases where the business lacks all the victims' contact information. The substitute notification should include the following:

  1. Sending emails
  2. Prominently displaying the notice on the company's website
  3. Informing prominent statewide media outlets

If a law enforcement agency notifies the business that immediate notification could hinder a criminal investigation or compromise national or homeland security, the business shall postpone the required notice. The company must submit the delay request in writing or document it simultaneously, which should include the name of the requesting law enforcement officer and the officer's agency involved in the investigation.

Resources