Tennessee Accidentally Exposed the Personal Information of Thousands of HIV Patients

For nine months, over 500 Nashville Metro Public Health employees could access and even copy the personal information of thousands of HIV/AIDS patients.



An explosive new report reveals that the Nashville Metro Public Health Department exposed the personal information of thousands of people diagnosed with HIV and AIDS

The Tennessean reports that Metro Health keeps a database of those diagnosed with HIV and AIDS in the middle Tennessee region. The information comes from the Centers for Disease Control and Prevention's (CDC) Enhanced HIV/AIDS Reporting System (eHARS), which explains that the information is used to assist "health departments with reporting, data management, analysis, and transfer of data to CDC." Like the national database, the Tennessee list contains sensitive information about each patient, including "social security numbers, birthdays, addresses, lab results and some of the intimate secrets of private lives." Only three government scientists were authorized to see that information, and only to work on a project related to an HIV grant program. But thanks to a mistake made by a person managing the database, access was granted to more than 500 health department employees.

The information sat on a shared government server for nine months. While officials do not believe that the database was ever breached, they've run into a secondary issue. An auditing feature that would be able to track server activity was found to be inactive. Had someone taken it upon themselves to open the files and copy sensitive patient information, they would have been able to do so without alerting officials or leaving a trail. This information suggests that while public officials don't think the database was ever misused, they actually can't know if that's true.

The error was discovered two months ago by Metro Health officials. Metro Health spokesperson Brian Todd explained to the Tennessean how the information made its way to the shared server:

The data was initially moved to a server folder reserved for the Ryan White Program, an HIV grant program, then moved again a day or two later to another server folder that was accessible to all Metro Health employees. The data stayed in this folder until it was discovered by an employee in April.

"To our knowledge, only the employee who moved the file to the public folder inappropriately accessed the file, simply by moving it," Todd said in an email. "Her intent was to provide access to an epidemiologist within the department to analyze the data, but that epidemiologist never opened the file. So the personal information in the database was, to our knowledge, never inappropriately accessed."

An investigation was conducted upon discovery, but no actions were taken against any of the employees, including Pam Sylakowski, director of the Ryan White Program and the employee behind the incident. A new server was reportedly created with tighter security and the incident was used as a teaching moment.

Thunder Kellie Hampton, an HIV advocate with Street Works, tells the Tennessean that the breach will discourage many from being tested out of fear for their private information. "I think the gut reaction for many people when they find out about this is 'I don't want to get tested. I don't want my information out there,'" she explained.