CHAPEL HILL — A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC-Chapel Hill research study.
Among the information exposed: the Social Security numbers of 163,000 study participants.
Though the intrusion was detected in late July, computer forensics experts say it may have happened two years ago, said Matthew Mauro, chairman of the UNC-CH Department of Radiology.
And though UNC-CH officials and a private computer forensic expert have spent two months investigating, they still don't know who did the hacking, where the attack originated, or even whether data was downloaded.
"There's no direct evidence that any information has been removed," Mauro said. "But we can't say for sure."
The compromised server had all required security measures, Mauro said. It was one of two servers housing data on more than 662,000 women. The data are part of the Carolina Mammography Registry, a 14-year-old project that compiles and analyzes mammography results submitted by radiologists across the state.
The data are submitted to UNC-CH electronically; that process will now be tightened up, Mauro said.
Until several years ago, Social Security numbers were used as patient identification codes, which is why that information was part of some, but not all, patient files.
The project is funded by a five-year National Institutes of Health grant worth more than $2 million. Mauro and the project's chief researcher, Bonnie Yankaskas, say they hope the security breach doesn't affect future federal funding.
A spokeswoman for the NIH declined to comment Thursday.
"This is the worst thing that could possibly happen," said Yankaskas, who has led the project since its inception. "It's the kind of thing that, in 1995, we didn't even think about. We go through all these measures to make everything secure, and then a hacker comes along and turns it upside down. I'm devastated."
Universities are popular targets for hackers because, unlike private corporations, their computing systems are largely decentralized, said Karen McCall, a UNC Health Care spokeswoman. Thus, security breaches aren't always detected quickly.
While they didn't find evidence that files were downloaded, investigators did find traces of viruses dating to 2007, Mauro said, an indication that the registry had been compromised for that long.
"Once they gain access to a system, they are often just taking a peek," said John Snyder of Net Friends, a Durham security firm. "They may have accessed many systems, and they'll get to you when they get to you."
Snyder cautioned that information may have been taken even if there were no traces of that happening.
"It's pretty easy to make a copy of something to an external source and cover your tracks," he said.
The hacked server has been taken down, its data removed, and the intrusion has prompted a broad examination of computer server security across the medical school, Mauro said. The medical school alone has about 580 servers housing research and clinical data. That does not include UNC Hospitals' patient files, which are maintained separately.
In coming days, the medical school will send letters to all 236,000 study participants about the security breach. School officials said they held off on notifying participants until they had completed their investigation and would be able to field questions.
For 14 years, the research project has studied the practice of mammography and helped identify breast cancer risk factors and improve early detection.
"I know women will be upset by this," said Yankaskas, the lead researcher. "I'm hoping they will appreciate the good this project is doing and let us continue."
Staff writer Ray Martin contributed to this report.
firstname.lastname@example.org or 919-932-2008