I have followed many data breaches over the past few years, but none has made me angrier than the one at the University of North Carolina at Chapel Hill. The UNC School of Medicine collected personal information that included Social Security numbers from study participants as part of a mammography research project. The study collected personal information from a total of 236,000 women, of which 163,000 gave their Social Security number.
The University admits that a breach was first discovered back in July. The server in question was taken offline. After an investigation, the university's IT staff discovered the intrusion might have taken place as much as two years prior, finding viruses that dated back to 2007.
Now here is the kicker. Knowing this, the university waited until now to start notifying study participants that their Social Security numbers may have been compromised. University officials have stated that they waited because they needed time to piece together the extent of the damage.
In every failure, there is an opportunity for improvement. I hate playing Monday morning quarterback, but these types of incidents give every security professional a black eye. First, why was the study collecting Social Security information? I know several people who have participated in studies like this, and Social Security information is not collected because it is not relevant to a study. This is obvious even in this case because not all participants gave their number. Second, why were viruses that were two years old found on that server? You have to ask why better administration wasn't done to a server that was storing this kind of information. Does HIPAA violation come to mind? Finally, why did the university wait so long to notify study participants that their data might have been compromised? This is totally unacceptable, no matter what the situation. I believe that the university waited because it needed time to develop an excuse.
According to North Carolina law, if the breach affects more than 1,000 people, the organization is required to notify the Consumer Protection Division of the Attorney General's office. I tried to contact the office to see if it was notified, but as of this writing I have not received a return phone call. I did check the North Carolina Department of Justice site to see if there was anything regarding the incident, but there was no mention of the breach.
A bill proposed by Senator Patrick Leahy puts forward stronger consumer data protection. There are many bills pending congress and on state dockets that address these issues. Why is it taking so long?
Making mistakes is a part of human nature. You admit them, correct them, apologize for them, and in this case, notify the people affected. This UNC incident is an example of an organization doing the wrong things AND doing things wrong.