The UNC Chapel Hill med school mammography study victimized by a computer hacker did not need to get the consent of patients whose data was submitted to it due to a federal regulation related to studies of large populations.

Judging from the emails and phone calls I've received over the last week since writing this story, that explanation isn't sitting well with many of the more than 100,000 women whose social security numbers and other personal information was exposed when the hacking took place.

Some folks have asked about the federal regulation. Well, here you go:

Radiologists who submit mammography data to a UNC medical school registry do not need patient consent to do so, a UNC Health Care spokeswoman said Tuesday.

Federal regulators waive consent requirements for projects like the Carolina Mammography Registry because it is a population-based study dealing with hundreds of thousands of pieces of data, said Karen McCall, the UNC Health Care spokeswoman.

A server housing much of the registry's data was hacked recently.

As many as 160,000 patient files may have been exposed, including 114,000 social security numbers. (That's fewer than officials thought originally).

And university officials say there is no evidence that any data was downloaded. University officials don’t know who the hacker is but think it originated in eastern Europe.

Many women only learned they were participants in the study when they received letters from UNC-CH detailing the security breach.

The registry is a 14-year-old project that collects and analyzes mammograms submitted by dozens of radiology offices across the state. Prior to its creation, federal regulators waived any requirement that patients be asked for their consent.

“There are so many participants that the cost of getting permission would be prohibitive to the point of not being able to do the study,” McCall said.

Read more in Wednesday's News & Observer.