Lessons and Questions from a Poorly Handled Data Breach

Ralph DeFrangesco

I have followed many data breaches over the past few years, but none has made me angrier than the one at the University of North Carolina at Chapel Hill. The UNC School of Medicine collected personal information that included Social Security numbers from study participants as part of a mammography research project. The study collected personal information from a total of 236,000 women, of which 163,000 gave their Social Security number.


The University admits that a breach was first discovered back in July. The server in question was taken offline. After an investigation, the university's IT staff discovered the intrusion might have taken place as much as two years prior, finding viruses that dated back to 2007.


Now here is the kicker. Knowing this, the university waited until now to start notifying study participants that their Social Security numbers may have been compromised. University officials have stated that they waited because they needed time to piece together the extent of the damage.


In every failure, there is an opportunity for improvement. I hate playing Monday morning quarterback, but these types of incidents give every security professional a black eye. First, why was the study collecting Social Security information? I know several people who have participated in studies like this, and Social Security information is not collected because it is not relevant to a study. This is obvious even in this case because not all participants gave their number. Second, why were viruses that were two years old found on that server? You have to ask why better administration wasn't done to a server that was storing this kind of information. Does HIPAA violation come to mind? Finally, why did the university wait so long to notify study participants that their data might have been compromised? This is totally unacceptable, no matter what the situation. I believe that the university waited because it needed time to develop an excuse.


According to North Carolina law, if the breach affects more than 1,000 people, the organization is required to notify the Consumer Protection Division of the Attorney General's office. I tried to contact the office to see if it was notified, but as of this writing I have not received a return phone call. I did check the North Carolina Department of Justice site to see if there was anything regarding the incident, but there was no mention of the breach.


A bill proposed by Senator Patrick Leahy puts forward stronger consumer data protection. There are many bills pending congress and on state dockets that address these issues. Why is it taking so long?


Making mistakes is a part of human nature. You admit them, correct them, apologize for them, and in this case, notify the people affected. This UNC incident is an example of an organization doing the wrong things AND doing things wrong.

Add Comment      Leave a comment on this blog post
Oct 1, 2009 1:18 AM Susan Hall Susan Hall  says:


As far as I understand the Social Security numbers initially were used as patient identification, but the process was changed a couple of years back to eliminate the use of Social Security numbers in patient identification. I wrote about that in my news post:


I can't answer your other questions, though.

Oct 7, 2009 2:58 AM Greg Senko Greg Senko  says:

If participants were paid, that might explain the need for SSN

Oct 8, 2009 8:31 AM Eva Fallon Eva Fallon  says:

When doing follow-up, the social security number may be used to identify deceased study participants (e.g.  5 year survival rate in a cancer study).   


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.