North Carolina DHHS Data Breach Exposes 3,437 Patients' Health Information

The North Carolina Department of Health and Human Services (NC DHHS) has reported a significant healthcare data breach to the U.S. Department of Health and Human Services Office for Civil Rights, affecting 3,437 individuals. The incident, which involved unauthorized access to paper records and films containing protected health information (PHI), was reported on September 29, 2025.

What Happened

According to the breach notification filed with the HHS Office for Civil Rights, the North Carolina Department of Health and Human Services experienced an unauthorized access and disclosure incident involving physical documents. The breach specifically affected paper records and films containing sensitive patient health information.

While the department's Privacy and Security Office, which "provides information security leadership for the Department of Health and Human Services by safeguarding information from unauthorized access," discovered the incident, no additional details about the specific circumstances, timeline, or root cause of the breach have been made publicly available at this time.

The breach has been classified as an "Unauthorized Access/Disclosure" incident, indicating that protected health information was improperly accessed or shared without proper authorization. Unlike many modern healthcare breaches that involve electronic systems and cyberattacks, this incident specifically involved physical paper documents and films.

Who Is Affected

The breach impacted 3,437 individuals whose protected health information was stored in the compromised paper records and films. As a health plan entity, NC DHHS likely maintained these records as part of their healthcare coverage and benefits administration services.

Affected individuals may include:

• Current and former Medicaid beneficiaries
• State health plan participants
• Individuals enrolled in other state-administered health programs
• Dependents covered under state health plans

Breach Details

Key Facts:

• Entity Involved: North Carolina Department of Health and Human Services
• Entity Type: Health Plan
• Individuals Affected: 3,437
• Breach Classification: Unauthorized Access/Disclosure
• Location: Paper/Films (physical documents)
• Date Reported to OCR: September 29, 2025
• State: North Carolina

What Makes This Breach Notable

This incident is particularly noteworthy because it involves physical paper records rather than electronic health records. In an era where most healthcare data breaches involve sophisticated cyberattacks, ransomware, or electronic system vulnerabilities, breaches involving paper records highlight ongoing security challenges in healthcare organizations that maintain hybrid record-keeping systems.

Paper-based breaches can occur through various scenarios, including:

• Theft of physical files
• Improper disposal of documents
• Unauthorized access to filing systems
• Misfiling or misdirection of sensitive documents
• Employee misconduct or negligence

What This Means for Patients

For the 3,437 affected individuals, this breach potentially exposes their protected health information to unauthorized parties. While the specific types of information compromised have not been detailed in the available breach notice, paper health records typically contain:

• Patient names and contact information
• Social Security numbers
• Insurance identification numbers
• Medical diagnoses and treatment information
• Prescription medication details
• Provider information
• Claims and billing data

Potential Risks

Patients affected by this breach may face several risks:

1. Identity Theft: Personal identifying information could be used to open fraudulent accounts or make unauthorized purchases
2. Medical Identity Theft: Health insurance information could be used to obtain medical services fraudulently
3. Privacy Violations: Sensitive health information could be disclosed inappropriately
4. Insurance Fraud: Compromised insurance details could lead to fraudulent claims

How to Protect Yourself

If you believe you may be affected by this breach, consider taking these protective steps:

Immediate Actions

1. Monitor Financial Accounts: Regularly check bank statements, credit card bills, and insurance statements for unauthorized activity
2. Review Medical Records: Obtain copies of your medical records and insurance claims to verify accuracy
3. Watch for Fraudulent Medical Bills: Be alert for medical services you didn't receive appearing on insurance statements

Ongoing Protection

1. Credit Monitoring: Consider enrolling in credit monitoring services to detect potential identity theft
2. Fraud Alerts: Place fraud alerts on your credit reports with major credit bureaus
3. Regular Credit Reports: Obtain free annual credit reports and review them carefully
4. Healthcare Provider Communication: Stay in contact with your healthcare providers about any unusual account activity

If You Suspect Fraud

• Contact your healthcare providers immediately
• File reports with local law enforcement if necessary
• Report suspected medical identity theft to your health insurer
• Consider filing complaints with relevant state agencies

Prevention Lessons for Healthcare Providers

This breach offers important lessons for healthcare organizations that maintain paper records alongside electronic systems:

Physical Security Measures

1. Secure Storage: Implement locked filing systems with restricted access
2. Access Controls: Limit personnel access to sensitive documents based on job responsibilities
3. Surveillance: Consider security cameras in areas where sensitive documents are stored
4. Clean Desk Policies: Require staff to secure documents when not in use

Document Handling Procedures

1. Chain of Custody: Establish clear procedures for document handling and transfer
2. Regular Audits: Conduct periodic reviews of physical record security
3. Staff Training: Provide comprehensive training on proper document handling
4. Incident Response: Develop clear procedures for reporting suspected breaches

Technology Integration

1. Digital Transition: Consider accelerating the conversion of paper records to secure electronic systems
2. Hybrid Security: Ensure security measures address both physical and electronic record systems
3. Backup Procedures: Maintain secure copies of critical documents

Compliance Considerations

Healthcare entities must remember that HIPAA's Security Rule applies to both electronic and paper records. The Privacy Rule's safeguards requirements extend to all forms of protected health information, regardless of format.

Regular risk assessments should evaluate physical security measures alongside cybersecurity protocols. Organizations maintaining paper records must ensure their compliance programs address the unique vulnerabilities associated with physical document storage and handling.

The NC DHHS breach serves as a reminder that comprehensive healthcare data security requires attention to all forms of PHI storage and processing, from advanced electronic systems to traditional paper filing systems.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.