Researcher's demotion hurts UNC image

Blamed for hacker's breach

Staff WriterFebruary 3, 2011 

  • The Carolina Mammography Registry is one of five regional centers in the United States that collects and analyzes mammography data submitted by radiologists. Information is added to a national registry and used to assess care in various populations and to predict outcomes of breast cancer screenings.

— From afar, Oregon scientist Patty Carney has long held UNC-Chapel Hill in high regard.

But no longer, she says. Not after the way it has dealt with prominent cancer researcher Bonnie Yankaskas.

Carney, a professor at the Oregon Health & Science University, watched with surprise as UNC-CH first tried to fire Yankaskas and subsequently demoted her and cut her salary after a hacker's infiltration of a research database she oversees. The university's investigation found that the 2007 breach endangered 180,000 patient files, including about 114,000 Social Security numbers.

Still, the sanctions have struck Yankaskas' colleagues as unnecessarily harsh. They think she was maligned by a university that has long benefited from her accomplishments.

"The image of UNC as being this place where smart, inquisitive people could conduct research with pride was huge," said Carney, a family medicine professor. "The fact that they handled this in this way - you couldn't pay me a million bucks to work there."

Carney is one of 127 university professors to sign a petition backing Yankaskas in her quest for full job and salary reinstatement. The petition, signed predominantly by UNC-CH faculty members, has been presented to the board of trustees, which was set to review an appeal of Yankaskas' demotion. That appeal has been tabled, with the two parties now headed to mediation this month.

Some at UNC-CH fear that the situation, which has received thorough coverage in higher-education publications, may have long-term consequences for the university as it tries to recruit faculty.

"The university comes out looking not so good," said Michael Knowles, a UNC-CH medical school professor who helped put the petition together. "If I was considering coming here, I might have second thoughts."

Infiltrated server

For 15 years, Yankaskas has overseen the Carolina Mammography Registry, a federally funded project that compiles and analyzes mammogram data submitted by dozens of radiology offices across North Carolina to improve breast cancer screening.

In 2009, UNC School of Medicine officials discovered that the server had been infiltrated two years earlier. Though the university doesn't think any personal information was removed, it nonetheless notified all 180,000 women with data on the server and set up a call center to answer questions. That cost roughly $250,000.

The medical school received more than 1,600 calls from women afraid their personal information had been compromised. At least one clinic, Wake Radiology, pulled out of the study.

As the leader of the registry project, Yankaskas was responsible for making sure the data was secure. Because she's not an information technology expert herself, she hired a staff member to do so.

UNC-CH Chancellor Holden Thorp could not be reached this week for comment. Robert Winston, chairman of the board of trustees, said he could not comment but hopes the mediation will work things out.

Yankaskas, 65, is still working and continues to receive National Institutes of Health funding. The data her registry collects feed a larger, national effort whose collective findings help shape federal policy on breast cancer screenings.

Who's responsible?

Yankaskas, who holds a doctorate in epidemiology, has argued that she can't be expected to be a data security expert. But John Baines, who works in the information technology department at N.C. State University, said Yankaskas, as principal investigator for the project, should be held responsible. Baines said security is particularly important in this case because the data included 114,000 Social Security numbers, which he referred to as the "lightning rod of privacy these days."

"If it was just a matter of someone breaking through a firewall and going through some [anonymous] data, I wouldn't have a problem with it," Baines said. "But with this kind of data, you may not know how, but you should say 'these are Social Security numbers, and I ought to take care of them.' "

At first, university officials sought to fire Yankaskas. But on appeal, a faculty hearings committee determined that part of the basis for her dismissal - that she had improperly collected mammogram data from UNC Hospitals patients - wasn't valid.

The faculty committee also ruled that Yankaskas wasn't "recklessly ignorant of security concerns." In an eight-page report recommending that she be demoted but not fired, the committee suggested that Internet security is more complicated than Yankaskas understood at the time.

UNC-CH reduced Yankaskas' rank from full to associate professor and her cut her pay from $178,000 to $93,000.

The punishment concerns other researchers who oversee secure data.

"I am far from computer savvy, so even though I do bear responsibility for my studies, I am dependent on the people who work for me," said Knowles, the medical school professor. "It's a wake-up call. I'm sure Dr. Yankaskas thought she was doing things the right way."

eric.ferreri@newsobserver.com or 919-829-4563

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service