CHAPEL HILL — A security breach involving patient data in a UNC-Chapel Hill medical school computer server has prompted an investigation by the state Attorney General's Office.
By Tuesday, the consumer division of Attorney General Roy Cooper's office had received 25 calls from women whose personal data had been submitted to a UNC-CH mammography study. University officials recently discovered a hacker had infiltrated one of the study's computer servers.
Many women learned of their participation in the study when UNC-CH sent them letters detailing the breach.
"We've got concerns about it and are looking into it," said Noelle Talley, a spokeswoman for the N.C. Department of Justice.
But radiologists who submit the mammography data to a UNC medical school study do not need patients' consent to do so, a UNC Health Care spokeswoman said Tuesday.
Federal regulators waive the consent requirement for projects like the Carolina Mammography Registry because it is a population-based study dealing with hundreds of thousands of pieces of data, said Karen McCall, the UNC Health Care spokeswoman.
That's no comfort to Tammy McCauley of Clayton, who didn't even know her mammograms were part of the study until she got a letter recently detailing how a computer server containing her Social Security number and other personal information had been compromised by a hacker.
"I never remember anyone saying anything about a study or participating in it," said McCauley, 60. "Maybe they don't have to ask, but they should at least give you a heads-up."
As many as 160,000 patient files may have been exposed, including 114,000 Social Security numbers. But university officials say there is no evidence that any data were downloaded. University officials don't know who the hacker is.
The 14-year-old registry collects and analyzes mammograms submitted by dozens of radiology offices across the state. Before the registry was created, federal regulators waived any requirement that patients be asked for their consent.
"There are so many participants that the cost of getting permission would be prohibitive to the point of not being able to do the study," McCall said.
A federal law requires that mammograms with certain indicators be tracked to see if the patient develops cancer, McCall said. That's why registries like the UNC-CH project exist, she said.
The compromised server was one of two housing data on more than 662,000 women.
Until several years ago,Social Security numbers were used as patient identification codes, which is why that information was part of some, but not all, patient files.
A National Institutes of Health grant worth more than $2 million funds the project. The intrusion was detected in late July but may have occurred as far back as 2007, officials said.
Pam Bridges of Cary was among the women who received the UNC-CH letter.
"It came as a shock to me that a research facility had my personal information and there had been a breach of that information when I hadn't consented to it," Bridges said.
As of Tuesday, the medical school had received 1,620 calls seeking information about the breach, McCall said.
firstname.lastname@example.org or 919-932-2008