Researcher Yankaskas appeals pay cut, demotion

More than a year removed from the discovery of a security breach exposing the personal information of about 180,000 subject and patient records, University officials remain at odds with a highly regarded cancer researcher over who deserves blame.

Although personnel matters are normally kept confidential, an article published Wednesday in The Chronicle of Higher Education brought to light the ongoing feud between Bonnie Yankaskas, an associate professor of radiology and adjunct professor of epidemiology, and University administrators regarding a 2007 hack that exposed the names, addresses and birth dates of women whose data were collected as part of the Carolina Mammography Registry.

School of Medicine Office of Information Systems officials first alerted the University to the breach in July 2009 after uncovering a virus and potential security breach on the Carolina Mammography Registry’s FTP server.

As the registry’s principal investigator, Yankaskas has been blamed for the breach, which also compromised about 114,000 Social Security numbers. She has since claimed that the University is using her as a scapegoat for systemic data security weaknesses.

On Oct. 27, Yankaskas received an intention to discharge letter from Executive Vice Chancellor and Provost Bruce Carney, who said Yankaskas exhibited “deliberate neglect” in her oversight of the project’s data security.

“I was appalled,” said Carney, who held his current position on an interim basis in July 2009. “The first question you have to ask is, ‘How does this happen?’”

In the intention to discharge notice, Carney wrote that Yankaskas was negligent in assigning security duties without granting additional training to Melinda Boyd, whom he deemed to be underqualified. Carney later became aware that his wife’s Social Security number was exposed and said his personal connection to the breach has not clouded his judgment.

“At the time, Ms. Boyd had no certification or experience as a server administrator,” Carney wrote. “She has stated that she requested that you provide additional training for her in server administration but that you declined to do so.”

After an appeal to Faculty Hearings Committee, Chancellor Holden Thorp adopted the course outlined by radiology department chairman Matthew Mauro and opted on July 21 to demote Yankaskas from a full professor to associate professor with tenure. Her salary was reduced by 48 percent, from $178,000 to $93,000. Thorp was not available for comment Wednesday.

Though the penalty was reduced, Yankaskas’ legal counsel said Wednesday that his client is not satisfied.

“They’re kicking up a lot of dust and trying a bait and switch, saying ‘It’s not us. The problem is professor Yankaskas,’” said Yankaskas’s legal counsel, Ray Cotton, who has asserted that systemic weaknesses in the University’s data security system, rather than Yankaskas, deserve blame.

“The University administration, going up to and including the chancellor, are scapegoating professor Yankaskas.”

Yankaskas, who has been advised not to speak to the media, could not be reached for comment Wednesday. She has gone on to appeal the disciplinary action to the Board of Trustees. If the board, which is scheduled to meet Nov. 17, denies that appeal, the Board of Governors would be Yankaskas’s final option for appeal, Carney said.

Board of Trustees Chairman Bob Winston declined to comment Wednesday on Yankaskas’ appeal, saying it was a personnel matter.

Karen McCall, vice president of marketing and public affairs for UNC Health Care, said the University could not conclusively determine whether the hacker retrieved the sensitive information on the server.

“All the people we spoke to said we couldn’t be sure info was not taken,” McCall said. “We were encouraged by the fact that we did notify all of these people and we didn’t get reports back that anyone had their information stolen.”

Senior writer Will Doran

contributed reporting

Contact the University Editor at udesk@unc.edu.