UNC Breach Exposes Social Security Numbers

More than 163,000 women who participated in a mammography research project at the University of North Carolina are just now finding out that personal information — including their social security numbers — was accessed by hackers sometime in 2007.

The data was just a portion of the information compiled by the university’s radiology department as part of 14-year-old project that compiles and analyzes mammography data from radiologists throughout the state. The compromised server was one of two housing the medical information of more than 660,000 women, university officials said.

UNC officials discovered the data breach in July when a researcher was unable to access the system. IT staffers and a computer forensics expert called into investigate the breach found traces of viruses dating back to 2007.

There is no evidence that any of the data was removed or altered, according to Dr. Matthew Mauro, chairman of the UNC Department of Radiology.

North Carolina is one of 43 states that requires companies and organizations to notify people when their personal information is accidentally or deliberately compromised.

Colleges and universities have been particularly hard hit by hackers in the past year.

In April, University of California at Berkeley officials said hackers infiltrated a health care database containing the personal information of more than 160,00 students dating back to 1999.

Similar attacks were reported this year at Montana State University, the University of Michigan and the University of Alabama.

IT security experts say colleges and universities are particularly attractive to hackers because research computers have Internet access, abundant processing power and, obviously, have the data because they’re constantly conducting large-scale research projects.

“The other thing is that we’re willing to talk about [data breaches] whereas most companies won’t,” said Randy Marchany, director of the IT security lab at Virginia Tech. “Whether it was a vulnerability in the Web app code sold by the vendor or a homegrown application by a faculty member, I’ll bet you your favorite beverage that the breach up in Chapel Hill was a SQL injection.”

The UNC study, funded by a five-year National Institutes of Health grant, used social security numbers as patient identification codes up until a few years ago. The mammography data was submitted electronically to the UNC servers from individual physicians and hospitals around the state.

News Around the Web