North Carolina Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

North Carolina is home to the second-largest banking center in the United States, a globally recognized biotech and research corridor, and a manufacturing sector that still employs hundreds of thousands of workers across the state. That combination of concentrated financial data, valuable intellectual property, and operational technology makes North Carolina one of the most attractive targets for cybercriminals operating in the eastern United States. Charlotte alone hosts the headquarters of Bank of America and Truist Financial, along with major East Coast operations for Wells Fargo, meaning that a single successful intrusion in the metro area could expose millions of financial records.

The incidents documented below are not hypothetical scenarios. Each one disrupted real North Carolina organizations, exposed real patient or citizen data, and cost real money to remediate. Studying these cases alongside the North Carolina cyber threat landscape gives businesses a concrete understanding of where their own defenses may fall short, and what attackers are actually doing in this state right now.

Major Cyber Incidents in North Carolina: A Timeline

2018 — Atrium Health Data Breach

In November 2018, Atrium Health (formerly Carolinas HealthCare System) disclosed a breach affecting approximately 2.65 million patients. The attack targeted AccuDoc Solutions, a third-party billing vendor that processed payment information for Atrium Health facilities. Attackers gained unauthorized access to AccuDoc's databases between September 22 and September 29, 2018. Compromised data included names, addresses, dates of birth, insurance policy details, medical record numbers, account balances, and dates of service. While no Social Security numbers or financial account numbers were confirmed stolen, the scale of the breach made it one of the largest healthcare data incidents in North Carolina history. The incident highlighted the persistent risk of third-party vendor compromises in healthcare supply chains.

2019 — NC Department of Health and Human Services Phishing Attack

The North Carolina Department of Health and Human Services (NC DHHS) reported that employee email accounts were compromised through a targeted phishing campaign in early 2019. The breach exposed personal information of Medicaid applicants and recipients, including names, addresses, dates of birth, Social Security numbers, and Medicaid identification numbers. NC DHHS determined that roughly 35,000 individuals were affected and notified them in accordance with state and federal requirements. The incident prompted the department to implement additional email security controls and mandatory phishing awareness training for all employees.

2020 — Catawba County Government Ransomware Attack

In February 2020, Catawba County government systems were hit by a ransomware attack that encrypted files across multiple departments. The attack disrupted county services including the library system and internal administrative functions. County officials worked with the North Carolina Department of Information Technology and federal law enforcement to investigate and recover. Catawba County did not pay the ransom and instead rebuilt affected systems from backups, though full restoration took several weeks. The incident illustrated how local governments with limited IT budgets remain vulnerable to ransomware campaigns that target municipalities nationwide.

2020 — UNC Health Phishing Breach

UNC Health, the academic health system affiliated with the University of North Carolina at Chapel Hill, disclosed in 2020 that a phishing attack had compromised employee email accounts containing protected health information. The breach affected patient records that included names, dates of birth, medical record numbers, health insurance information, and in some cases Social Security numbers and clinical details. UNC Health implemented enhanced email filtering, accelerated its deployment of multi-factor authentication, and notified affected patients in accordance with HIPAA and North Carolina breach notification requirements.

2021 — Duke Energy Contractor Data Exposure

Duke Energy, headquartered in Charlotte and serving millions of customers across the Carolinas, confirmed in 2021 that a security incident involving a third-party contractor resulted in unauthorized access to customer account information. While Duke Energy stated that its own internal systems were not directly compromised, the contractor breach exposed customer names, account numbers, and service addresses. The incident reinforced the importance of vendor risk management programs for critical infrastructure operators and prompted Duke Energy to tighten its third-party security requirements.

2022 — Novant Health Pixel Tracking Disclosure

Novant Health, based in Winston-Salem, disclosed in 2022 that improperly configured Meta (Facebook) pixel tracking code on its patient portal may have transmitted protected health information to Meta for approximately two years. The disclosure affected an estimated 1.36 million patients. The transmitted data potentially included IP addresses, appointment details, treating physicians, and portal interactions. While this was a misconfiguration rather than a traditional hack, it resulted in a class-action lawsuit and highlighted how marketing technology can create unintended data exposure in healthcare environments.

2023 — City of Charlotte Water Services Cyber Incident

Charlotte Water, a department of the City of Charlotte, experienced a cybersecurity incident in 2023 that temporarily disrupted online billing and customer service systems. While the city reported that water treatment and delivery operations were not affected, the incident forced the department to take several online systems offline for investigation and remediation. The attack on a major municipal utility underscored the growing threat to critical infrastructure services in North Carolina's largest city.

North Carolina Breach Notification Law

North Carolina's Identity Theft Protection Act, codified as N.C. Gen. Stat. § 75-65, requires businesses that experience a security breach involving personal information of North Carolina residents to notify affected individuals without unreasonable delay. Unlike Texas and some other states that specify a hard deadline, North Carolina's standard is "without unreasonable delay" with notification to the Attorney General required if more than 1,000 individuals are affected. Businesses must also notify consumer reporting agencies when a breach affects more than 1,000 people at once.

The law defines personal information broadly, covering Social Security numbers, driver's license numbers, financial account numbers in combination with security codes or passwords, and other identifiers. Violations can result in enforcement action by the North Carolina Attorney General under the state's Unfair and Deceptive Trade Practices Act, with penalties of up to $5,000 per violation. For a detailed breakdown of compliance obligations, see our guide to North Carolina cybersecurity laws and requirements.

Which North Carolina Industries Are Most Targeted?

Healthcare and Biotech

North Carolina's Research Triangle is home to one of the largest concentrations of biotech and pharmaceutical companies in the country, alongside major health systems like Duke Health, UNC Health, and Atrium Health. Healthcare organizations account for a disproportionate share of reported breaches in the state, driven by the high value of medical records on dark web markets and mandatory HIPAA reporting requirements.

Financial Services

Charlotte is the second-largest banking center in the United States by total assets, behind only New York City. Bank of America, Truist Financial, and Ally Financial are all headquartered there, and Wells Fargo maintains major East Coast operations in the city. This concentration of financial data makes the Charlotte metro a priority target for both organized cybercrime groups and nation-state actors.

Manufacturing

North Carolina has transitioned from traditional textiles to advanced manufacturing, including automotive parts, aerospace components, and electronics. Many manufacturers operate industrial control systems and operational technology that present unique security challenges. Organizations in this sector should evaluate managed IT services for manufacturing to address OT-specific vulnerabilities.

State and Local Government

County governments and municipalities across North Carolina often operate with constrained IT budgets and aging infrastructure. The Catawba County ransomware attack demonstrated that even well-intentioned local governments can be caught off guard. Small business IT security strategies are relevant to many of these organizations.

How to Protect Your North Carolina Business

The patterns in North Carolina incidents point to a handful of attack vectors that businesses can address proactively:

• Implement multi-factor authentication across all email systems, remote access points, and privileged accounts — phishing was the initial access vector in the NC DHHS, UNC Health, and multiple other incidents

• Audit third-party vendor security rigorously, since the Atrium Health and Duke Energy incidents both originated through contractor and vendor relationships

• Review marketing technology configurations to ensure tracking pixels and analytics tools are not inadvertently transmitting sensitive data, as the Novant Health disclosure demonstrated

• Maintain and test offline backups regularly — Catawba County's ability to recover without paying ransom depended entirely on having viable backups

• Segment networks between IT and OT environments, particularly in manufacturing and utility operations

• Develop and rehearse an incident response plan that accounts for North Carolina's breach notification requirements under § 75-65

Many North Carolina organizations work with managed IT services providers to maintain continuous monitoring and incident response capabilities without the overhead of a full in-house security operations center.

Frequently Asked Questions

How quickly must a North Carolina business report a data breach?

Under N.C. Gen. Stat. § 75-65, businesses must notify affected individuals "without unreasonable delay." The law does not specify a hard numerical deadline like some states. However, regulators and courts have generally interpreted this to mean notification should occur as soon as the business has completed a reasonable investigation and identified affected individuals. Excessive delay without justification can trigger enforcement action by the North Carolina Attorney General.

What types of data trigger North Carolina's breach notification requirement?

North Carolina's Identity Theft Protection Act covers breaches involving personal information defined as a person's first name or first initial and last name in combination with Social Security numbers, driver's license numbers, financial account or credit/debit card numbers with security codes, or other identifying information that could be used for identity theft.

Does North Carolina have a comprehensive data privacy law like California's CCPA?

As of 2025, North Carolina does not have a comprehensive consumer data privacy law equivalent to the CCPA or Virginia's CDPA. The state's primary data protection statute remains the Identity Theft Protection Act (§ 75-65), which focuses on breach notification rather than broad consumer privacy rights. Multiple bills have been introduced in the General Assembly to create more comprehensive privacy legislation, but none have been enacted. For current compliance obligations, see our North Carolina data privacy law guide.

Was the Atrium Health breach the largest data incident in North Carolina?

The 2018 Atrium Health breach, which affected approximately 2.65 million patients, is among the largest healthcare data incidents originating from North Carolina operations. The 2022 Novant Health pixel tracking disclosure affected an estimated 1.36 million patients. In terms of total individuals affected, the Atrium Health incident remains the single largest confirmed breach tied to a North Carolina-based organization.

Are North Carolina financial institutions subject to additional cybersecurity requirements?

Yes. Banks and financial institutions in North Carolina must comply with federal regulations including the Gramm-Leach-Bliley Act (GLBA), OCC guidance, and FDIC requirements in addition to state law. The North Carolina Commissioner of Banks also has regulatory authority over state-chartered banks and may impose additional cybersecurity expectations. Given Charlotte's status as a major banking hub, these requirements affect a significant portion of the state's workforce.

What role does the NC Department of Information Technology play in cybersecurity?

The North Carolina Department of Information Technology (NCDIT) oversees cybersecurity for state government agencies and provides guidance and support to local governments. NCDIT operates the NC Joint Cybersecurity Task Force, which coordinates incident response across state and local entities. The department also manages the state's cybersecurity risk management framework and publishes best practices for North Carolina government organizations.