A prominent cancer researcher at the University of North Carolina at Chapel Hill is fighting the university’s decision to demote her and cut her pay in half after a security breach in a medical study she directs was discovered. The breach could have revealed medical records of of more than 100,000 women whose data were studied.
The researcher, Bonnie C. Yankaskas, an associate professor of radiology and adjunct professor of epidemiology, says the university is responsible for the security flaws, and she is being made a scapegoat. University officials have been pressuring her to resign, she said, but added, “This is my life’s work, and there’s too much to do. I’m not going anywhere.”
Ms. Yankaskas is the lead investigator in the Carolina Mammography Registry, a university project that is part of a nationwide consortium that collects and analyzes mammography results.
Last year, medical-school technology officials discovered that a hacker had infiltrated one of the project’s two computer servers, which contained personal data, including names, addresses, and birth dates, of about 180,000 women. About 114,000 of those files included the patients’ Social Security numbers. The break-in happened in 2007 but was only discovered after Ms. Yankaskas reported having trouble with her server in 2009.
University officials said there was no evidence that any information was removed from the servers, but they still sent letters to all of the women whose data might have been exposed. To comply with federal privacy rules, the university also notified the National Cancer Institute, which financed the project, law-enforcement officials, and local news outlets.
The incident “not only cost the university several hundreds of thousands of dollars but also damaged the university’s reputation as a research institution,” the provost, Bruce W. Carney, wrote in a letter to Ms. Yankaskas last year, informing her that the university planned to dismiss her.
She appealed that decision to a faculty-hearing committee, which concluded that firing wasn’t warranted but a lesser punishment might be.
In a letter dated July 21, 2010, the university’s chancellor, H. Holden Thorp, informed Ms. Yankaskas that she was being demoted from full to associate professor, but she would retain tenure. Her $178,000 salary was cut by 48 percent—to $93,000.
Ms. Yankaskas, who has a doctorate in epidemiology, has appealed the case to the university’s Board of Trustees, and she has vowed to file a lawsuit if that is unsuccessful. She says she is being unfairly blamed for systemic, universitywide security flaws that the university was aware of as early as 2006 but never informed her about.
“This whole thing could have been prevented, and they’re hanging it on me,” she said in an interview on Tuesday.
Science and Cybersecurity
Chancellor Thorp said on Tuesday that Ms. Yankaskas did not attend a 2006 meeting about security issues and that, as the mammography study’s principal investigator, or PI, she should be held accountable for the breach.
“The PI is responsible for the security of data in studies like this,” he said.
Her lawyer, Raymond D. Cotton, counters that scientists can’t be expected to be cybersecurity experts.
“We have communications from the chancellor’s office and the medical-center technology office all noting potential and actual problems with the security of the computers, but no one notified her,” he said. “If they had done so, she would have fixed the problem in 2006.”
A few months after the computer breach was discovered last year, the university’s provost, Mr. Carney, sent Ms. Yankaskas a letter telling her the university intended to fire her for neglecting her responsibilities to safeguard the integrity of the data and for using data from University of North Carolina hospitals without permission. She says she did have permission to use that data.
The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university’s technology office and that the employee never submitted a formal request for additional training.
“I had an employee who I trusted who told me things were OK,” she added. “I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don’t know what I could have done.”
‘My Worst Nightmare’
Ms. Yankaskas appealed her firing to a faculty-hearings committee, which found in June that the problems resulted from systemwide security flaws, and not the actions of an individual researcher.
It said the case “revealed a weakness in the linkage between campus-security professionals who understand and monitor computer networks and the computer researchers who acquire and use confidential data.”
The committee’s report described Ms. Yankaskas as a distinguished researcher whose mammography study has brought the university more than $12-million in grants from the National Institutes of Health and helped improve mammography practices across North Carolina. The committee concluded that she shouldn’t be fired, but that as principal investigator, she should be held accountable. The NIH has continued to support her.
Ms. Yankaskas said when she learned that the information had been accessed, “I literally fell apart. For 14 years, my worst nightmare was that somehow we’d break the trust of the women in the study. I had no inkling or idea or reason to believe that was the case.”