UNC Says No Consent Required for Mammography Registry in Spite of Massive Data Breach


November 2, 2009 – The University of North Carolina is now apparently claiming that no consent was required to include patients, and their personal information, in the data base of a statewide mammography registry. According to Karen McCall, UNC Health Care spokesperson, “federal regulators waive consent requirements for projects like the Carolina Mammography Registry because it is a population-based study dealing with hundreds of thousands of pieces of data”.

UNC Dome.jpgThis is interesting news for the thousands of female patients whose birth dates and social security numbers were included in the database, and may have been compromised by hackers who gained access to the system as far back as 2007. It appears that most of the patients had no knowledge either that they were being included in any study, or that personal information would be a part of the information provided.


In fact many learned of their inclusion in the study only when they received a letter from the Carolina Mammography Registry and signed by Bonnie C. Yankaskas, Ph.D., Professor, Department of Radiology, which stated as follows:

I am writing to notify you about a computer security breach that may have
resulted in the unauthorized exposure of your personal information. In late
July 2009, information technology employees at The University of North
Carolina at Chapel Hill (“University”) discovered that a computer server
storing data for the Carolina Mammography Registry (“Registry”) at the
University’s School of Medicine was targeted in a computer hack. We believe
this hacking incident may have occurred in 2007. When University staff
learned that the server was compromised, the server was taken down, and all
data on the server were removed.

The letter then went on to say:

Unfortunately, some of your personal information was on the Registry’s server
at the time of the hacking incident. This information included your name and
Social Security number. In many cases, these data also included your date of
birth, address, phone number, demographic information, insurance status, and
health history information.

UNC apparently is relying on the fact that the Mammography Registry was part of a federally funded cancer study and that federal regulations waived the need for consent. However, McCall failed to cite any particular federal regulation, which would circumvent an individual’s right to privacy, and in particular, which would expressly permit the dissemination of a patient’s most private personal information. When asked why patients would not have been asked to consent to the use of this information in the study, McCall stated that there were “so many participants that the cost of getting permission would be prohibitive to the point of not being able to do the study” .

Source: News Observer

Victims of the UNC Mammography data breach may have claims both for the unauthorized posting of their personal information and/or for damages associated with the use or misuse of their personal information. the law office, and its affiliates, are interested to learn the identity of any women who may have been notified that their personal information was compromised as the result of this UNC data breach. If you were a part of this data breach, you may be able to participate as part of a class action to be filed against UNC and/or the private practices who supplied personal information to the Registry without prior authorization. If you are a victim of the data breach, please contact the attorney by calling , or .

Posted in:

Comments are closed.

Contact Information