10/28/09 — County patients caught in UNC data loss

View Archive

County patients caught in UNC data loss

By Nick Hiltunen
Published in News on October 28, 2009 1:46 PM

Elizabeth "Ann" Thompson thought she was just getting a mammogram.

Instead, the Pricetown woman also got entered into a large, federally approved database that included sensitive, personally identifiable information like Social Security numbers, last names and birth dates.

And because of current rules designed to serve the greater good by gathering data about public health scourges like breast cancer, she was entered in that database without her knowledge.

Then, that data's security was breached, affecting Mrs. Thompson and about 160,000 other patients, nearly all of whom also did not know they were part of the database-driven study.

The problem arose when hackers got into the servers housing that database, at the University of North Carolina-Chapel Hill, confirmed university Vice President of Public Affairs Karen McCall.

"We had a server where information was kept about the registry, and ... when we were trying to install some software at the end of July, they found some traces of worms," Ms. McCall said.

Mrs. Thompson isn't the only person affected here in Wayne County; local Republican Party and animal rights activist Doris Petrak was part of the compromised database as well.

Mrs. Petrak said she knows of at least two other people who had received letters from UNC-Chapel Hill about the security breach.

Although UNC-Chapel Hill computer security experts don't believe any information was actually taken from the servers, Mrs. Petrak said an inquiry needs to continue.

"This really needs to be investigated -- how long a period that someone was into that server," Mrs. Petrak said. "I never dreamed in a million years of finding this out, that something like this could happen."

The university's first signs that there was trouble with the server that housed the database was not direct evidence of hackers, but rather bits of small, malicious programs called "worms."

A worm is a computer program that replicates itself, usually causing some sort of harm to a computer network.

The presence of the worm traces led to a deeper investigation, and it was discovered that hackers had been inside the server that houses the Carolina Mammography Registry, Ms. McCall said. Of those 160,000 records, about 114,000 had Social Security numbers attached to them, she said.

Whether a person's Social Security number was present in the files depended largely on how long ago she had first had a mammogram at a center that submits data to the Carolina Mammography Registry.

"This database has been around for a long time," Ms. McCall said. "Unfortunately, the Social Security number (was often used) as the best identifier, because it was the one constant."

To inform affected patients, the university sent out letters to people with potentially compromised records, and informed those patients with Social Security numbers in the database that the identifiers might have been stolen.

Ms. McCall defended the federal notification exemptions -- the rules that allowed people to be entered into a database without their knowledge -- which are granted by Institutional Review Boards. The bodies are given authority by the U.S. Food and Drug Administration and the Department of Health and Human Services.

Ms. McCall said the data in a study including only people willing to be involved could be skewed, making waivers of consent necessary.

"You're trying to have a truly representative sample, not just those people that chose to participate," Ms. McCall said.

The exemption granted to the Carolina Mammography Registry might save hundreds, even thousands of lives by analyzing the breast cancer data it contains, the university spokeswoman said.

"The reason you do this kind of research is really because you are trying to save lives, and produce societal good," Ms. McCall said.

She also noted, however, "It's absolutely critical that people's information be protected."

Ms. McCall noted that criminals who use computer knowledge as a weapon seem to be ever more proficient in procuring guarded data.

The public affairs vice president said servers at the UNC-Chapel Hill campus are attacked an average of 20 million times a year..

"I know that everybody is so upset with UNC," Ms. McCall said. "But we were attacked. That's something that I'd like to emphasize."