The UNC Chapel Hill med school mammography study victimized by a computer hacker did not need to get the consent of patients whose data was submitted to it due to a federal regulation related to studies of large populations.

Judging from the emails and phone calls I've received over the last week since writing this story, that explanation isn't sitting well with many of the more than 100,000 women whose social security numbers and other personal information was exposed when the hacking took place.

Some folks have asked about the federal regulation. Well, here you go:

I've heard from a lot of readers concerned about their personal data being compromised when a UNC Chapel Hill computer server was hacked.

These women, whose mammograms and related personal information were submitted by radiologists to a UNC-CH medical school study, have been asking one question more than any other lately: Why does UNC need social security numbers, dates of birth and other personal information for a medical study?

Karen McCall, a spokeswoman for UNC Health Care, explained today that the study tracks the mammograms of individual patients over time. So, if you have a mammogram each year and it is submitted to the study, someone will analyze it and look for patterns or suggestions that cancer either has developed or could in the future.

Thus, the personal data is necessary because they're examining specific cases, not just using data in aggregate.

"They're tracking people," McCall said. "They're trying to find out if they get cancer. Years ago, they used Social Security numbers. That's how we identified people. The radiologist is responsible for tracking the person for a long time. They give this responsibility to the registry, and the registry reports back to them. So they have to know who the people are."

The university ceased using Social Security numbers as identifiers in 2007, she said.

McCall explained further that this data was stored on two computer servers. One was secure, with all the data "coded," and scrubbed of personal information. But before that happened, it was stored on what she called a "transition" server.

That's the server that got hacked.

Radiologists who submit mammography data to a UNC medical school registry do not need patient consent to do so, a UNC Health Care spokeswoman said Tuesday.

Federal regulators waive consent requirements for projects like the Carolina Mammography Registry because it is a population-based study dealing with hundreds of thousands of pieces of data, said Karen McCall, the UNC Health Care spokeswoman.

A server housing much of the registry's data was hacked recently.

As many as 160,000 patient files may have been exposed, including 114,000 social security numbers. (That's fewer than officials thought originally).

And university officials say there is no evidence that any data was downloaded. University officials don’t know who the hacker is but think it originated in eastern Europe.

Many women only learned they were participants in the study when they received letters from UNC-CH detailing the security breach.

The registry is a 14-year-old project that collects and analyzes mammograms submitted by dozens of radiology offices across the state. Prior to its creation, federal regulators waived any requirement that patients be asked for their consent.

“There are so many participants that the cost of getting permission would be prohibitive to the point of not being able to do the study,” McCall said.

Read more in Wednesday's News & Observer.

Francis Collins, the UNC alum who headed the ambitious Human Genome Project, has been tapped by President Obama to head the National Institutes of Health.

Obama called Collins, who helped decipher the human genetic code,  "one of the top scientists in the world."

The NIH is the nation's leading research granting agency, with a budget of nearly $30 billion to dole out for scientific discovery.

For details, click here.