The University was wrong to wait almost two months to notify research participants of a security breach that compromised their information.
The breach was detected in a UNC School of Medicine database in July. It affected 236,000 women participating in breast cancer research. That information included about 163,000 Social Security numbers.
Officials at the medical school decided to investigate more before alerting the women affected, so letters are going out today.
That was a bad decision.
A compromise of such information is serious. Social Security numbers serve as identities for nearly everything financial.
And when a person’s Social Security number is stolen, thieves can open credit accounts, rent apartments, open phone lines and wreak havoc on a person’s finances.
Yet it has taken medical school officials over two months to alert the women affected.
Dr. Matthew Mauro, chair of the Department of Radiology at the medical school, said they decided to wait because they investigated the incident three times using different information technology specialists — two from the University and one third-party.
Mauro said the number of women whose Social Security numbers were compromised was originally somewhere around 100,000, but it rose substantially.
It’s understandable that officials wanted to be thorough.
But identity theft happens fast. It would have been more prudent to alert the women affected as the information came in rather than wait until the investigation finished.
Mauro said that the University now is contacting all 236,000 women affected, not just the ones whose Social Security numbers were comprised.
This is an ethical decision, and a good one. Mauro said the school is only required to contact those who had Social Security numbers in the database.
But the women affected should have been notified as soon as the breach was discovered.
To get the day's news and headlines in your inbox each morning, sign up for our email newsletters.