> Skip to content
FEATURED:
  • The Evolution of Race in Admissions
Sign In
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
Sign In
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
Sign In
ADVERTISEMENT
News
  • Twitter
  • LinkedIn
  • Show more sharing options
Share
  • Twitter
  • LinkedIn
  • Facebook
  • Email
  • Copy Link URLCopied!
  • Print

Chapel Hill Researcher Fights Demotion After Security Breach

By  Katherine Mangan
October 5, 2010
Bonnie C. Yankaskas of the U. of North Carolina School of Medicine says she is being made a scapegoat for the institution’s security flaws.
Bonnie C. Yankaskas of the U. of North Carolina School of Medicine says she is being made a scapegoat for the institution’s security flaws.

A prominent cancer researcher at the University of North Carolina at Chapel Hill is fighting the university’s decision to demote her and cut her pay in half after a security breach in a medical study she directs was discovered. The breach could have revealed medical records of of more than 100,000 women whose data were studied.

The researcher, Bonnie C. Yankaskas, an associate professor of radiology and adjunct professor of epidemiology, says the university is responsible for the security flaws, and she is being made a scapegoat. University officials have been pressuring her to resign, she said, but added, “This is my life’s work, and there’s too much to do. I’m not going anywhere.”

We’re sorry. Something went wrong.

We are unable to fully display the content of this page.

The most likely cause of this is a content blocker on your computer or network. Please make sure your computer, VPN, or network allows javascript and allows content to be delivered from c950.chronicle.com and chronicle.blueconic.net.

Once javascript and access to those URLs are allowed, please refresh this page. You may then be asked to log in, create an account if you don't already have one, or subscribe.

If you continue to experience issues, contact us at 202-466-1032 or help@chronicle.com

A prominent cancer researcher at the University of North Carolina at Chapel Hill is fighting the university’s decision to demote her and cut her pay in half after a security breach in a medical study she directs was discovered. The breach could have revealed medical records of of more than 100,000 women whose data were studied.

The researcher, Bonnie C. Yankaskas, an associate professor of radiology and adjunct professor of epidemiology, says the university is responsible for the security flaws, and she is being made a scapegoat. University officials have been pressuring her to resign, she said, but added, “This is my life’s work, and there’s too much to do. I’m not going anywhere.”

Ms. Yankaskas is the lead investigator in the Carolina Mammography Registry, a university project that is part of a nationwide consortium that collects and analyzes mammography results.

Last year, medical-school technology officials discovered that a hacker had infiltrated one of the project’s two computer servers, which contained personal data, including names, addresses, and birth dates, of about 180,000 women. About 114,000 of those files included the patients’ Social Security numbers. The break-in happened in 2007 but was only discovered after Ms. Yankaskas reported having trouble with her server in 2009.

University officials said there was no evidence that any information was removed from the servers, but they still sent letters to all of the women whose data might have been exposed. To comply with federal privacy rules, the university also notified the National Cancer Institute, which financed the project, law-enforcement officials, and local news outlets.

ADVERTISEMENT

The incident “not only cost the university several hundreds of thousands of dollars but also damaged the university’s reputation as a research institution,” the provost, Bruce W. Carney, wrote in a letter to Ms. Yankaskas last year, informing her that the university planned to dismiss her.

She appealed that decision to a faculty-hearing committee, which concluded that firing wasn’t warranted but a lesser punishment might be.

In a letter dated July 21, 2010, the university’s chancellor, H. Holden Thorp, informed Ms. Yankaskas that she was being demoted from full to associate professor, but she would retain tenure. Her $178,000 salary was cut by 48 percent—to $93,000.

Ms. Yankaskas, who has a doctorate in epidemiology, has appealed the case to the university’s Board of Trustees, and she has vowed to file a lawsuit if that is unsuccessful. She says she is being unfairly blamed for systemic, universitywide security flaws that the university was aware of as early as 2006 but never informed her about.

“This whole thing could have been prevented, and they’re hanging it on me,” she said in an interview on Tuesday.

ADVERTISEMENT

Science and Cybersecurity

Chancellor Thorp said on Tuesday that Ms. Yankaskas did not attend a 2006 meeting about security issues and that, as the mammography study’s principal investigator, or PI, she should be held accountable for the breach.

“The PI is responsible for the security of data in studies like this,” he said.

Her lawyer, Raymond D. Cotton, counters that scientists can’t be expected to be cybersecurity experts.

“We have communications from the chancellor’s office and the medical-center technology office all noting potential and actual problems with the security of the computers, but no one notified her,” he said. “If they had done so, she would have fixed the problem in 2006.”

A few months after the computer breach was discovered last year, the university’s provost, Mr. Carney, sent Ms. Yankaskas a letter telling her the university intended to fire her for neglecting her responsibilities to safeguard the integrity of the data and for using data from University of North Carolina hospitals without permission. She says she did have permission to use that data.

ADVERTISEMENT

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university’s technology office and that the employee never submitted a formal request for additional training.

“I had an employee who I trusted who told me things were OK,” she added. “I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don’t know what I could have done.”

‘My Worst Nightmare’

Ms. Yankaskas appealed her firing to a faculty-hearings committee, which found in June that the problems resulted from systemwide security flaws, and not the actions of an individual researcher.

It said the case “revealed a weakness in the linkage between campus-security professionals who understand and monitor computer networks and the computer researchers who acquire and use confidential data.”

The committee’s report described Ms. Yankaskas as a distinguished researcher whose mammography study has brought the university more than $12-million in grants from the National Institutes of Health and helped improve mammography practices across North Carolina. The committee concluded that she shouldn’t be fired, but that as principal investigator, she should be held accountable. The NIH has continued to support her.

ADVERTISEMENT

Ms. Yankaskas said when she learned that the information had been accessed, “I literally fell apart. For 14 years, my worst nightmare was that somehow we’d break the trust of the women in the study. I had no inkling or idea or reason to believe that was the case.”

We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.
Scholarship & Research
Katherine Mangan
Katherine Mangan writes about community colleges, completion efforts, student success, and job training, as well as free speech and other topics in daily news. Follow her on Twitter @KatherineMangan, or email her at katherine.mangan@chronicle.com.
ADVERTISEMENT
ADVERTISEMENT
  • Explore
    • Get Newsletters
    • Letters
    • Free Reports and Guides
    • Blogs
    • Virtual Events
    • Chronicle Store
    • Find a Job
    Explore
    • Get Newsletters
    • Letters
    • Free Reports and Guides
    • Blogs
    • Virtual Events
    • Chronicle Store
    • Find a Job
  • The Chronicle
    • About Us
    • DEI Commitment Statement
    • Write for Us
    • Talk to Us
    • Work at The Chronicle
    • User Agreement
    • Privacy Policy
    • California Privacy Policy
    • Site Map
    • Accessibility Statement
    The Chronicle
    • About Us
    • DEI Commitment Statement
    • Write for Us
    • Talk to Us
    • Work at The Chronicle
    • User Agreement
    • Privacy Policy
    • California Privacy Policy
    • Site Map
    • Accessibility Statement
  • Customer Assistance
    • Contact Us
    • Advertise With Us
    • Post a Job
    • Advertising Terms and Conditions
    • Reprints & Permissions
    • Do Not Sell My Personal Information
    Customer Assistance
    • Contact Us
    • Advertise With Us
    • Post a Job
    • Advertising Terms and Conditions
    • Reprints & Permissions
    • Do Not Sell My Personal Information
  • Subscribe
    • Individual Subscriptions
    • Institutional Subscriptions
    • Subscription & Account FAQ
    • Manage Newsletters
    • Manage Your Account
    Subscribe
    • Individual Subscriptions
    • Institutional Subscriptions
    • Subscription & Account FAQ
    • Manage Newsletters
    • Manage Your Account
1255 23rd Street, N.W. Washington, D.C. 20037
© 2023 The Chronicle of Higher Education
  • twitter
  • instagram
  • youtube
  • facebook
  • linkedin