CHAPEL HILL — A prominent cancer researcher at UNC-Chapel Hill is fighting the demotion and pay cut she received after a computer server she oversees was hacked, exposing about 180,000 patient files.
Bonnie Yankaskas, who holds a doctorate in epidemiology, says she should not be responsible for a lapse by the school's information technology staff.
"I clearly have been scapegoated," she said. "I bear the responsibility for my group doing what's right. But do I bear the responsibility for this machine not being secure? How do you lay that on me?"
Yankaskas has appealed her demotion to UNC-CH's board of trustees.
Her rank was reduced from full to associate professor and her pay cut from $178,000 to $93,000 - punishment for what university officials say was the scientist's failure to secure a server housing medical information including about 114,000 Social Security numbers.
UNC School of Medicine officials discovered in 2009 that the server had been infiltrated two years earlier. It held data for the Carolina Mammography Registry, a 15-year project that compiles and analyzes mammogram data in an effort to improve breast cancer screening.
Though the university doesn't believe any personal information was removed, it nonetheless notified all 180,000 women with data on the server and set up a call center to answer questions once word of the breach got out. Doing so cost roughly $250,000, officials say.
Yankaskas, the principal investigator on the federally funded project, said some medical school staffers knew as early as 2006 that her server could be compromised. But she insists she was never told.
Yankaskas has continued to receive National Institutes of Health funding even after the breach was detected. The data her registry collects feeds a larger, national effort whose collective findings help shape federal policy on breast cancer screenings.
"She's highly regarded by her colleagues," said Rachel Ballard-Barbash, associate director of the applied research program with the National Cancer Institute's division of cancer control and population sciences. "We've always found her to operate with the greatest integrity."
Firing had been sought
At first, university officials sought to fire Yankaskas. But on appeal, a faculty hearings committee determined that part of the basis for her dismissal - that she had improperly collected mammogram data from UNC Hospitals patients - wasn't valid.
The faculty committee also ruled that Yankaskas wasn't "recklessly ignorant of security concerns." In an eight-page report recommending that she be demoted but not fired, the committee suggested that Internet security is more complicated than Yankaskas understood at the time.
"She appears from the record simply not to have kept up with the dramatic rise in and change of computer security concerns over the fifteen-plus year course of the CMR project," Richard Whisnant, chairman of the faculty hearings committee, wrote.
UNC-CH Provost Bruce Carney agreed that Yankaskas shoulders some blame.
"She's not a security expert, but she should understand the importance of it and make sure it's being satisfied," Carney said.
The registry collects and analyzes mammogram data submitted by dozens of radiology offices across North Carolina. It came as a surprise to many women who learned of their participation in the study only when the university notified them of the breach last year.
Federal regulators don't require patient consent for projects like the Carolina Mammography Registry because it is a population-based study dealing with hundreds of thousands of pieces of data.
When the breach was made public last year, the medical school received more than 1,600 calls from women fearful that their Social Security numbers and other personal information had been compromised. At least one clinic, Wake Radiology, pulled out of the study.
Now, the university is centralizing much of its IT security, a costly but necessary venture.
"The public's trust is easily lost and hard to win," Carney said. "That's why this is so serious an issue."
Work 'needs to go on'
The UNC project is one of five in the nation contributing mammography data to a national registry administered and funded by the National Cancer Institute.
UNC-CH thinks enough of Yankaskas' body of work with the registry to allow it to continue even as her punishment and future have been debated.
"This is a very, very big study of considerable importance," Carney said. "It needs to go on."
Yankaskas said the project would be crippled if she were dismissed or agreed to a settlement the university has offered her - withdrawing her disciplinary action and reinstating her rank and full salary if she leaves by next June.
She's not interested.
"I have work to do," said Yankaskas, 65. "I'm not going away."
firstname.lastname@example.org or 919-829-4563