UNC's Health Record Breach Raises Questions About the Safety of EHR
by Brendon Nafziger
, DOTmed News Associate Editor | October 02, 2009
have stolen the social
security numbers, medical
history, of over 160,000
women at UNC
Hundreds of thousands of medical records might have been compromised by an electronic break-in of the University of North Carolina-Chapel Hill's radiology department, raising fears over the security of medical records.
Over 160,000 entries of women participating in a mammogram study, called the Carolina Mammogram Registry, had their data potentially accessed.
Of these, around 46,000 had their information "coded," a now standard procedure, so even if hackers saw the registry, they would get no personal information.
But for the other 114,000, the registry listed social security numbers, name, address phone number, demographic information and results from breast exams, according to the hospital.
But UNC is quick to stress that there's no evidence any hacker saw or stole anyone's records.
"We don't know if or where a breach has occurred," Paul Molina, M.D., the vice chair of the radiology department at UNC, tells DOTmed News.
University officials first detected something was amiss in July, discovering traces of malicious code in the registry believed to have been left in 2007. But only last week did they begin sending out letters notifying patients of the possible breach.
Dr. Molina says the months-long delay was caused by the large amount of data in the registry that investigators had to comb through. "Contacting patients unnecessarily was something we wanted to avoid," he says.
The investigation is ongoing. Already, the number of women whose info might have been accessed has been downgraded from the 236,000 initially reported on Monday to 160,000.
The registry, one of the largest data storehouses for breast cancer research, was created to "improve breast cancer detection and to guide avenues of research in the area of breast cancer," says Dr. Molina.
Some experts believe university servers are more vulnerable to hacking because they're decentralized - not under the protection of a main secure server, as was the case with UNC's mammography database.
"It was pretty much on its own," says Dr. Molina. "I think that is one thing that may come out of this security breach, is whether or not other servers currently existing on campus will be brought under some central umbrella."
But John Travis, a senior director at Cerner, one of the leading electronic health records companies, doesn't think that university hospitals are necessarily at a greater risk.
"The nature of the way the data is spread across multiple systems and the security of the systems are more important factors contributing to vulnerability than being a university hospital," he tells DOTmed News in an email.