CHAPEL HILL - Some 3,500 people had their personal information exposed when hackers hit two servers of the UNC Lineberger Comprehensive Cancer Center.

The attack was discovered by UNC-Chapel Hill’s information technology employees in May, yet potential victims were not informed until last week when they received letters from center director Dr. Shelley Earp.

Earp apologized for the breach, which compromised personal data, including Social Security numbers and passport numbers, for employees, contractors and visiting lecturers at the center.

“Despite our investigation, however, we are unable to say for sure whether your personal information was accessed by an unauthorized person as a result of this incident,” Earp wrote in a letter dated Dec. 26. “Even if your personal information was accessed, we have no way to know whether it has been or will be misused.”

The servers were immediately blocked to protect data. The breach involved administrative servers that did not typically store patient data, so the center’s patients need not worry, said Ellen de Graffenreid, director of communications and marketing at Lineberger.

She said there were a small number of files that contained data from fewer than 15 people who were subjects in research studies.

So far, de Graffenreid said, no one has reported identity theft as a result of the hacking, but potential victims have been advised to seek a fraud alert or a security freeze on their credit files.

Some potential victims expressed dismay that it had taken the cancer center so long to notify them of the problem.

Paul Farel, a retired professor, said when he received the letter last week, he put an alert on his credit report.

“My concern was that it was over six months between the time when they noted the breach and when I was notified,” Farel said.

De Graffenreid said the two servers contained 1.6 million files. Forensic investigators narrowed that number down to 3,300 files that had been touched during the window of vulnerability created by the hacking.

Each of those 3,300 files had to be examined by hand to determine whether personal information had been compromised, she said.

“It was very intensive and very time-consuming to sift through all of the information,” she said. “We are very concerned with accuracy.”

An automated process would have turned up many false positive examples of people who were not really at risk, de Graffenreid said.

Farel said the notifications could have been done as the investigation progressed.

“I don’t know how many people are really at risk, but I think the university needs to be very careful about that,” Farel said, “or to have a rational procedure in handling cases like this.”

University servers are on the receiving end of thousands of attempted attacks by hackers each hour, de Graffenreid said, and the IT staff uncovered this one through routine monitoring.

Hacking incidents have caused major headaches at UNC-CH before.

In 2009, UNC School of Medicine officials discovered the hacking of a server with data from a major breast cancer study. The university notified all 180,000 women with data on the server and set up a call center to answer questions, though there was no evidence that personal information was removed.

In that case, the process cost $250,000; the university also slashed the pay and moved to demote a prominent researcher who headed the study. In a 2011 settlement, the researcher was reinstated with full pay before she retired.