14 DAY TRIAL // The hacking of a server belonging to the University of North Carolina's School of Medicine resulted in compromising personal information and SSNs belonging to 163,000 women. The university is in the process of notifying the affected individuals.
IDG News reports that the server hosted mammography data as part of a research project funded by the government. The information was collected from a number of 31 different locations in North Carolina and pertained to a total of 236,000 patients. In addition to personal details, a number of 163,000 records contained SSNs.
According to Matt Mauro, chairman of the Department of Radiology at the University of North Carolina, the breach was detected back in July when a system access problem reported by an authorized user was investigated. Due to the nature of the malware found on the compromised server, there is reason to believe that the security breach has been ongoing for around two years.
After the intrusion was discovered, the affected server was taken offline and has remained so to date. The system no longer collects information for the research project until more appropriate protection mechanisms are deployed to prevent future breaches.
Mauro noted that the investigation did not reveal any signs of information misuse or even evidence that it had been accessed in the first place. However, under the law, first and last names associated with SSNs constitute personally identifiable information (PII) and the incident must be treated as a data breach, which involves notifying the potentially affected individuals.
This is not the first incident involving a university and compromised medical records that we wrote about during the last twelve months. Back in November 2008, we reported on the IT personnel from University of Florida's College of Dentistry discovering malware on a server hosting the personal and medical information of 330,000 dental patients.
Servers belonging to schools and universities are appealing targets for cybercriminals because their security protection is generally low and can house vast amounts of sensitive data. The information extracted during such breaches can be abused in several ways or sold on the online black market to spammers and identity thieves.