U North Carolina Undertakes Review in Face of 7-State Data Breach

A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident.

The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information. Several years ago, the study had stopped collecting survey subjects' Social Security numbers when those developing security policy deemed the practice unsafe.

The principal investigator of the Registry, Bonnie Yankaskas, a professor in the Department of Radiology, offered an apology to victims in a letter (PDF) mailed out during the first week of October. "I have devoted my career to advancing the health of women and working to improve mammography screening, and I am devastated by this incident," Yankaskas wrote. "Please accept my sincerest apology, and please be assured that the Registry is continuing to evaluate its computer systems and to implement additional measures to safeguard its servers."

In a document with frequently asked questions, university administrators said they haven't been able to determine whether individual personal information was accessed during the digital break-in. "Even if your personal information was accessed," the FAQ (PDF) said, "we have no way to know whether your personal information has been or will be misused."

The same document said that the university delayed response to victims in order to conduct a forensic investigation. Once the investigation was done, the FAQ reported, "It took some additional time to prepare and mail the notification letters to alert affected individuals of this incident and to set up a toll-free call center."

According to coverage in the school newspaper, The Daily Tar Heel, university personnel realized that the hacked server wasn't located behind a firewall. When the hack was uncovered, the university removed the compromised server from the network and scrubbed the data on it.

The university has advised potential victims to place a fraud alert on their credit file and to review their credit reports periodically; but the FAQ also reminded recipients that the Registry collected no information about bank accounts or credit cards.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  •  laptop on a clean desk with digital padlock icon on the screen

    Study: Data Privacy a Top Concern as Orgs Scale Up AI Agents

    As organizations race to integrate AI agents into their cloud operations and business workflows, they face a crucial reality: while enthusiasm is high, major adoption barriers remain, according to a new Cloudera report. Chief among them is the challenge of safeguarding sensitive data.

  • flowing lines and geometric shapes representing data flow and analysis

    Complete College America Launches Center to Boost Data-Driven Student Success Strategies

    National nonprofit Complete College America (CCA) recently launched the Center for Leadership, Institutional Metrics, and Best Practices (CLIMB), with the goal of helping higher education institutions use data-driven strategies to improve student outcomes.

  • cybersecurity analyst in a modern operations center monitors multiple digital screens showing padlock icons, graphs, and a global map with security markers

    Louisiana State University Doubles Down on Larger Student-Run SOC

    In an effort to provide students with increased access to real-world cybersecurity experience, Louisiana State University has expanded its relationship with cybersecurity solutions provider TekStream to launch TigerSOC, a new student-run security operations center.

  •  floating digital interface with glowing icons, surrounded by faint geometric shapes

    Digital Education Council Defines 5 Dimensions of AI Literacy

    A recent report from the Digital Education Council, a global community devoted to "revolutionizing the world of education and work through technology and collaboration," provides an AI literacy framework to help higher education institutions equip their constituents with foundational AI competencies.