A UNC cancer researcher is fighting a demotion and pay cut she received after a security breach in the medical study she directs.
Bonnie Yankaskas, a professor in the Department of Radiology and principal investigator of the Carolina Mammography Registry (CMR), was demoted from full professor to associate professor with tenure after one of two servers used by the program was hacked into in 2007, placing the personal data, including Social Security numbers, of more than 100,000 women at risk.
The university also reduced Yankaskas’ salary from $178,000 to $93,000. She remains on faculty and continues to lead the CMR program.
Although the security breach occurred in 2007, it wasn’t discovered until Yankaskas reported a computer problem in 2009.
Yankaskas’ attorney, Raymond Cotton, said Wednesday that it’s unfair to blame his client for the breach. He said the university knew the program’s computer system had security deficiencies as early as 2006 but failed to notify Yankaskas.
“No one told her so she could do anything about it,” Cotton said. “The only person who didn’t know was Bonnie [Yankaskas]. It was gross negligence.”
I can’t remember any other data breach of this kind where a researcher experienced such consequences. Researchers have lost data on laptops or flash drives, databases get hacked, but holding the researcher responsible for this type of breach? I’m surprised.
But university officials said Yankaskas’ role in the security breach rose the level of negligence which warranted her dismissal from the university.
In fact, then-interim provost Bruce Carney sent Yankaskas a letter in October 2009 notifying her of the university intent to dismiss her from the faculty because her role in the security breach “constitutes a neglect of duty.”
Carney also charged that Yankaskas obtained sensitive HIPPA-protected patient data from UNC Hospitals without the proper authority, which also rose to the level of neglect of duty.
Okay, that’s HIPAA, not HIPPA, but that’s actually a very serious charge and one which is reasonable to hold a researcher accountable for. Not only does a researcher have legal obligations under HIPAA for use of patient data, but there are also obligations to comply with the Institutional Review Board’s terms of approval for a study. In this case, there was reportedly no “clear and convincing evidence” that the researcher had violated any rules. What is not clear from the media coverage is whether the records were supposed to have been anonymized or not. Wake Radiology subsequently withdrew from the study when it discovered that the data were not anonymized. The issue of anonymization should have been addressed during the approval process for the study, and it’s not clear to me whether Wake Radiology knew but wasn’t concerned until after the hack or if there had been a representation that data would be anonymized that was not followed.
The committee said Yankaskas’ “inadequate attention to security” did warrant discipline, but not the dismissal as recommended by Carney.
Was this a university server? If so, the notion that individual researchers should be held accountable for the security of servers holding research/patient data boggles my mind. If the research is conducted under the auspices of the university and is part of their network (and that’s a big “if”), do they not provide security? I can see holding a researcher responsible if the researcher opens holes in the security by installing p2p software, or transfers the data to devices that are not part of the system, but routine use of a server? This could really have an effect on all academic researchers who may start wondering whether they need to include a security consultant/IT in their grant proposals. [UPDATE: I may have been totally wrong. See this later news story that suggests that the researcher may have had more responsibility for the server security than I expected.]
On Wednesday, Carney, the university’s permanent provost, said he stands by his recommendation in the wake of the “pervasive neglect” with which Yankaskas handled the program’s computer security.
“Ultimately, the principal investigator has to be responsible,” Carney said.
Yankaskas has appealed the demotion to the UNC Board of Trustees, which could decide the matter next month.
Read the full story in The Herald Sun. This case has the potential to have a lot of repercussions among academic researchers.
Cross-posted from PHIprivacy.net