Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry
The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000. Original reports estimated that more than 200,000 women were affected. The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."
Evidently, the breach was discovered in July, but it may have occurred over two years ago. According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server. The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected. To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.
Links:
- Ferreri, Eric, "Hacker breaks into research study data," Charlotte Observer, September 29, 2009.
- "UNC says hacker got into fewer files than reported," The News & Observer, October 1, 2009.
Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers
On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility. A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources. Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator’s username and password, the prison’s internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel. He also used the computer to send email and download publicly-available photographs and videos.
A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf). In the plea agreement (.pdf) recently reached with the U.S. Attorney’s Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko’s guilty plea to charges under the Computer Fraud and Abuse Act. Janosko has agreed to accept an additional incarceration of 18 months for the hack. Sentencing in the case is scheduled for December 15th.
My wife has been notified that her records are in the pile that might have been compromised. From my brief research it appears that the University violated HIPAA. The radiology lab and probably even the MD also violated HIPAA. Is anyone going to hold the university accountable for not knowing for two years that a data breach occurred (negligence)? I am filing a federal complaint but I doubt anything will come of it.