Data breach at UNC-Chapel Hill: Tax forms with sensitive info sent to wrong people

UNC-Chapel Hill potentially exposed sensitive and personal information — including Social Security numbers — when the university erroneously sent tax forms to the wrong people and entities in January.

The error, first reported by WRAL on Friday and confirmed by The News & Observer, involved the university sending about 1,200 IRS Form 1099s to the wrong people.

According to a letter sent by the university’s privacy office to people potentially affected by the leak, the university on Jan. 25 printed about 3,400 Form 1099s to be sent to “distinct individuals or entities.” While those 3,400 forms were “properly printed,” the letter said, “only 2,214 envelopes containing the IRS Form 1099s were actually mailed.”

That resulted in the mailed envelopes containing multiple Form 1099s — meaning that, in addition to receiving the correct form, some recipients who received the mailed envelopes may have also inadvertently and erroneously received forms intended for other recipients.

The university was made aware of the error on Jan. 30, the letter said, and has attributed it to “human error and a processing issue.” The letter was sent to potentially affected individuals and entities on Feb. 28, about a month after the university discovered the error.

How form recipients will know if they are affected

After discovering the error, the letter said, the university reissued all of the more than 3,400 forms.

If recipients received two Form 1099s from the university this tax season, they were not impacted by the error and their information was only sent to the correct recipient, the letter said. But if recipients only received one Form 1099, the original form “was likely inadvertently mailed to another individual or entity.”

“The individuals whose information may have been involved in this incident have been contacted directly,” UNC media relations said in an email to The N&O on Friday.

Form 1099s are used to report income that does not come from a full-time employer — such as income earned by independent contractors or on a freelance basis.

The forms, when filled-out by an employer, include the form recipient’s tax identification number, which is often a recipient’s Social Security number. The forms also include the recipient’s name and address.

At the time the letter was sent to potentially affected people and entities on Feb. 28, the university had not found evidence that affected individuals’ or entities’ information had been “misused” — but the letter said misuse, including identity theft, was still possible as a result of the breach.

What to do if you were affected by the breach

In response to the breach, the letter to potentially affected people and entities said, the university has “implemented updated processes, technical improvements, and employee training to help prevent something like this from happening again.”

The university is also “offering identity theft protection services through IDX, the data breach and recovery services expert” to those impacted. The services include “12 months of Triple Bureau credit monitoring, CyberScan dark web monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services,” the letter said.

Instructions to enroll in the program, as well as additional recommended steps for protecting personal information, were included in the letter. Those wishing to enroll in the protection service must do so by May 28, the letter said.

In a statement emailed to The N&O, UNC media relations said: “We deeply regret any concern or inconvenience this incident may have caused.”