Local News

Mammography study hacked, personal data at risk

Posted October 14, 2009

— Hundreds of thousands of women found out by letter this week that their personal information, including Social Security numbers, might have been exposed to identity theft.

The Carolina Mammography Registry at the University of North Carolina School of Medicine gathers data from radiologists across the state. The breach at UNC affects women who did not know the registry existed and did not give consent to have their information included.

UNC study suffers security breach UNC study suffers security breach

Patients, like Pam Bridges, were surprised and angered.

“To find out my information is out there floating around somewhere -- and this could happen to anybody,” she said. “That's what's frustrating to me as a citizen who does her best to try to protect her personal information ... because I don't want to be a victim of ID theft.”

Computer experts don’t know how or when the hack originated or how much data was compromised.

The North Carolina Department of Justice recommends that people who are notified of a possible breach of personal information monitor their credit closely, request a fraud alert from major credit bureaus and consider putting a freeze on new requests for credit.

Bridges wondered why Social Security numbers were passed along with study data. Some radiology offices used those numbers as patient identifiers.

Wake Radiology issued a statement Wednesday withdrawing from the study and any others that require personal data. “Involvement in future studies will be limited to anonymous, unidentified data,” the statement said.


This story is closed for comments.

Oldest First
View all
  • St Ives Oct 16, 2009

    If anyone out there knows a good attorney let me know. Our file were passed on dispite hippa laws that were passed a few years back. I was told they were given permission by bla bla to do this. It is like me giving your son permission to drive the neighbors car! I feel a class action lawsuit is nin the making here.

  • LaLa-Land Oct 15, 2009

    I am also one of those women, got my letter on Oct 13th, and I AM furious. Nowhere did I sign a release form, and with all the other stuff that goes on in life, this is just one more headache to have to deal with that should have never happened due to someone else's negligence. I agree their servers are unsecure, and wonder why did they not apply appropriate security measures when running SSNs through a study.

    I am certain we will see more breaches of information before it is taken seriously, and I too want to see the release form I signed.

  • carolinarox Oct 15, 2009

    I too wonder why PII was attached to the data. I really don't have a problem with the mammogram information being used with or without my consent, but as someone else stated, there should have been a different identification process other than our personal information. I haven't received a leter, but I have gone to Wake Radiology every year since 2001.

  • ladyblue Oct 15, 2009

    Would someone please explain how they could legally give out not only medical info but personal info such as ss# without our signed consent

    I called the contact number and also emailed the addy they provided this past monday and even though I was told they would investigate I have received no reply. I think an attorney may can answer that question and I am seriously thinking of calling one.

  • findoutthefacts Oct 15, 2009

    Wow - the med school in greenville just had an occurrence where peoples information might possibly be leaked but they agreed to pay for credit monitoring for a year to make up for it.

    So UNC gives away people's personal information without their knowledge and then refuses to do anything to make up for it....way to be the "flagship" university...hahahaha

  • Oct Oct 15, 2009

    Would this be grounds for a class action suit?

  • Oct Oct 15, 2009

    I am one of these women and I just got my letter Oct 13. I had no idea that classified info such as this can be passed on without the patients permission. If this happened, there is no telling what else is going on that we don't know about. Would someone please explain how they could legally give out not only medical info but personal info such as ss# without our signed consent? I had not seen any blogs about this because I didn't know what to look for!!

  • ladyblue Oct 15, 2009

    So to answer your question, I could not readily locate you in the hundreds of blogs out there...tree---

    http://www.wral.com/golo/blogpost/6169897/ I included the web on the statement you are referring to. I got the letter the evening of the 8th in my box when I checked the mail, so I was the first golo blog on the subject. Many others followed as they recieved their letters. I was speaking to wral when I asked that question as one member on golo called them that day.

  • jse830fcnawa030klgmvnnaw+ Oct 15, 2009

    "I put this blog up on October 9th. Where were you people then." - LadyBlue

    My significant other did not receive the CMR notification letter until October 10 and I checked for blogs on October 12 (Monday), which is also when I filed a complaint with NCDOJ. I did not find your or the other 2 blogs that was mentioned when I created my blog about this subject (http://www.wral.com/golo/blogpost/6184122/). It would be nice for Golo to have a hierarchy blog setup by keywords or subject matter (beyond just categories). So to answer your question, I could not readily locate you in the hundreds of blogs out there...

  • ladyblue Oct 15, 2009

    ........I feel confident that our info was only released to further research.sleepyj--

    Sorry but you don't know who it was released to as it was HACKED. It could be some professional hackers who sell personal information for others to get id's. My letter stated it happened in 2007 so I dont' knwo why they told reporter that they didn't knwo. Maybe they are backing off their stories at this place but I have my letter saying 2007 and they just found it this past july.