A computer server at the University of North Carolina at Chapel Hill (UNC-CH) has been hacked, potentially compromising the personal data of 236,000 women involved in a mammography research study.
The server was used to store patient data of 236,000 participants in the Carolina Mammography Registry (CMR), a research project funded since 1995 by the U.S. National Cancer Institute (NCI) to study community-based mammography practice. CMR is also a member site in the Breast Cancer Surveillance Consortium (BCSC), which operates a network of seven mammography registries.
The compromised server received screening mammography data from 31 sites in North Carolina. A potential problem with the server was initially discovered in July, when a researcher had difficulty booting up and using the system, UNC-CH radiology department chair Dr. Matthew Mauro told AuntMinnie.com. The server was then taken offline and an investigation by IT security specialists concluded it had likely been hacked, he said.
Because some viruses dating back to 2007 were found in the server, it's conceivable the hacking occurred as far back as two years ago. Given the difficulty encountered in July, however, it's also possible the "major" hacking occurred more recently, Mauro said.
The investigation so far has failed to determine who breached the system, from where the attack came, or if any patient information was downloaded, Mauro said. That investigation is still ongoing, with three independent IT groups continuing to evaluate the server.
In the meantime, UNC-CH began mailing letters this week to the 236,000 women who were potentially affected by the security breach. Of these women, 163,000 had records that included Social Security numbers, often used until a few years ago as patient identification codes.
Patient information that may have been compromised includes name, date of birth, address, phone number, demographics, insurance status, and health history. Patients who had Social Security numbers in their records were advised to place a fraud alert in their credit file and to periodically check their credit reports.
The institution said it would comply with any patient requests to remove their data from the registry, although it encourages women who are contemplating this measure to think carefully before taking this step.
The affected server is still offline and will remain so until additional security measures have been implemented. This will include additional firewalls, for example, as well as other security methods, Mauro said.
UNC-CH takes the responsibility of protecting the safety and integrity of the patient data very seriously, Mauro told AuntMinnie.com.
"This is the 15th year of doing the [CMR] study, and we think it's very important and continues to be very important," he said. "But we have the obligation to provide the best and most complete security that we can."
By Erik L. Ridley
AuntMinnie.com staff writer
September 29, 2009
Related Reading
HHS releases breach notification rules, August 20, 2009
Conficker worm highlights PACS cybersecurity issues, June 2, 2009
Intrusion-detection testing finds network vulnerabilities, August 11, 2008
New protocols offer hope for wireless security, June 6, 2005
In depth approach needed for PACS security, January 20, 2005
Copyright ยฉ 2009 AuntMinnie.com
