News

U North Carolina Undertakes Review in Face of 7-State Data Breach

• By Dian Schaffhauser
• 10/09/09

A data breach that took place in 2007 at the University of North Carolina at Chapel Hill and was discovered in late July 2009 is finally being reported to victims by letter. University staffers reported that they believe the security breach exposed social security numbers for about 114,000 women, although about 180,000 records were potentially exposed as a result of the incident.

The women's records were part of a multi-year medical research study, the Carolina Mammography Registry, which collects and analyzes data from 31 sources in seven states using software developed by the university. The records also contained names and in many cases dates of birth, addresses, phone numbers, demographic information, insurance status, and health history information. Several years ago, the study had stopped collecting survey subjects' Social Security numbers when those developing security policy deemed the practice unsafe.

The principal investigator of the Registry, Bonnie Yankaskas, a professor in the Department of Radiology, offered an apology to victims in a letter (PDF) mailed out during the first week of October. "I have devoted my career to advancing the health of women and working to improve mammography screening, and I am devastated by this incident," Yankaskas wrote. "Please accept my sincerest apology, and please be assured that the Registry is continuing to evaluate its computer systems and to implement additional measures to safeguard its servers."

In a document with frequently asked questions, university administrators said they haven't been able to determine whether individual personal information was accessed during the digital break-in. "Even if your personal information was accessed," the FAQ (PDF) said, "we have no way to know whether your personal information has been or will be misused."

The same document said that the university delayed response to victims in order to conduct a forensic investigation. Once the investigation was done, the FAQ reported, "It took some additional time to prepare and mail the notification letters to alert affected individuals of this incident and to set up a toll-free call center."

According to coverage in the school newspaper, The Daily Tar Heel, university personnel realized that the hacked server wasn't located behind a firewall. When the hack was uncovered, the university removed the compromised server from the network and scrubbed the data on it.

The university has advised potential victims to place a fraud alert on their credit file and to review their credit reports periodically; but the FAQ also reminded recipients that the Registry collected no information about bank accounts or credit cards.