The University of North Carolina at Chapel Hill is in the process of notifying 163,000 women participating in a medical research study that they’re Social Security numbers were compromised by a hack of the research department’s server.

The breach discovery happened in July when researchers at UNC’s School of Medicine reported having trouble accessing the server that contained 236,000 records of the federally funded mammogram study. According to several published reports, forensic analysis found viruses on the server that were more than two years old and determined that the server had been remotely access from 31 different locations across North Carolina.

The precise time of the initial breach and the duration of the unauthorized access is unknown but could be as long as two years. The incident raises many questions, including the following:

• Why were there known viruses on the server for more than two years?
• How did hackers remotely access the server without detection?
• Why was sensitive medical research and individual health data unencrypted?
• Why was there a two month gap between the breach discovery and the disclosure notification?
• Why aren’t the other 100,000 women whose records were compromised but didn’t contain Social Security numbers notified?

The UNC incident should be the new poster child for why end users need the expertise and support of qualified security solution providers. Here’s why.

According to a recent survey Channel Insider conducted with the Computer Technology Industry Association (CompTIA), more than 50 percent of solution providers say they’ve been called in to resolve security mistakes, shortcomings and errors by their customers. These problems include overlooked vulnerabilities, rogue and unauthorized software, poor or embellished compliance reporting, poor or improperly deployed patches, and underestimating the severity of a security breach.

In the eyes of security solution providers, the root cause of end users shortcomings amount to a lack of knowledge, poor management skills, fear of losing their jobs and laziness. Only 47 percent of solution providers say their customers lack the budget to effectively address their security failings. This may not be an individual failing, per se. After all, no one individual can possibly keep up with all of the technologies, customizations, configurations, threats and countermeasures.

There’s no telling whether the UNC breach is a result any of these managerial and human issues. But the description of the breach shows pretty good indications that multiple things went wrong and not all were technical. Given the level of fear of repercussions, job insecurity and unwillingness by security managers to admit their shortcomings, is it incumbent upon security solution providers to act with kid gloves when evaluating and assessing security problems and incidents? Is the key to helping companies remediate incidents and improve their security posture not to embarrass them for making bonehead mistakes?