By Gregory Childress
gchildress@heraldsun.com; 419-6645
Chapel Hill -- A UNC cancer researcher is fighting a demotion and pay cut she received after a security breach in the medical study she directs.
Bonnie Yankaskas, a professor in the Department of Radiology and principal investigator of the Carolina Mammography Registry (CMR), was demoted from full professor to associate professor with tenure after one of two servers used by the program was hacked into in 2007, placing the personal data, including Social Security numbers, of more than 100,000 women at risk.
The university also reduced Yankaskas' salary from $178,000 to $93,000. She remains on faculty and continues to lead the CMR program.
Although the security breach occurred in 2007, it wasn't discovered until Yankaskas reported a computer problem in 2009.
Yankaskas' attorney, Raymond Cotton, said Wednesday that it's unfair to blame his client for the breach. He said the university knew the program's computer system had security deficiencies as early as 2006 but failed to notify Yankaskas.
"No one told her so she could do anything about it," Cotton said. "The only person who didn't know was Bonnie [Yankaskas]. It was gross negligence."
But university officials said Yankaskas' role in the security breach rose the level of negligence which warranted her dismissal from the university.
In fact, then-interim provost Bruce Carney sent Yankaskas a letter in October 2009 notifying her of the university intent to dismiss her from the faculty because her role in the security breach "constitutes a neglect of duty."
Carney also charged that Yankaskas obtained sensitive HIPAA-protected patient data from UNC Hospitals without the proper authority, which also rose to the level of neglect of duty.
But in reviewing the case, the Faculty Hearings Committee found no "clear and convincing evidence" that Yankaskas violated or ignored rules in obtaining the patient information and thus did not rise to level of a firing offense.
The committee said Yankaskas' "inadequate attention to security" did warrant discipline, but not the dismissal as recommended by Carney.
"The security failures revealed by this case should prompt wider consideration of reform in how university research involving confidential data is carried out," the committee ruled. "They do not, however, amount to faculty misconduct justifying discharge."
On Wednesday, Carney, the university's permanent provost, said he stands by his recommendation in the wake of the "pervasive neglect" with which Yankaskas handled the program's computer security.
"Ultimately, the principal investigator has to be responsible," Carney said
Yankaskas has appealed the demotion to the UNC Board of Trustees, which could decide the matter next month. She may appeal to the UNC Board of Governors if the ruling from the Board of Trustees is unfavorable.
UNC Chancellor Holden Thorp notified Yankaskas of the demotion in a letter dated July 21. Thorp said he was following the recommendations of the Faculty Hearings Committee, which determined that Yankaskas' role in the breach didn't justify her firing.
Because the committee serves only in an advisory role, Thorp could have handed down a lesser or stiffer punishment.
"He had to come to the conclusion that these charges were unfounded," Cotton said of Thorp's decision.
Yankaskas' boss, Matthew A Mauro, also concluded in an Oct. 9, 2009 letter to Bill Roper, dean of the medical school, that Yankaskas be disciplined instead of dismissed.
