Health Information of Thousands of HIV Patients Exposed by Employee Error

Share this article on:

An error by an employee of Metro Health has resulted in the exposure of highly sensitive information of patients diagnosed with HIV or AIDS, according to a recent report in the Tennessean.

The information was stored in a database which had been copied by the employee onto a server that was accessible by all employees in the Nashville Metro Public Health Department, even though the vast majority of those individuals were not authorized to access the information. The database was only supposed to be accessed by three government scientists.

The database was present on the server for nine months before the file was found by an employee and Metro Health officials were notified. During the time that the file was on the server, more than 500 employees could potentially have accessed the database.

The database contained information such as names, addresses, lab test results, HIV diagnoses, drug usage, sexual orientation, birth dates, and Social Security numbers. The data came from the Enhanced HIV/AIDS Reporting System – a national database that includes details of patients with HIV and AIDS going back to 1983, although the data was limited to individuals from 12 middle Tennessee counties.

The file was discovered on the server two months ago, prompting an investigation into how the file came to be on the server and whether any sensitive information had been viewed by staff. Some evidence was obtained to suggest the file had not been accessed during the time it was accessible; however, it was not possible to rule out data access with total certainty.

The metadata attached to the file showed it had not been modified since it was copied to the server; however, a server auditing feature should have been active that would have enabled Metro Health to determine whether the file had been accessed, but the feature had not been activated.

Without that feature, it would have been possible for the database to have been copied without leaving any trace that data had been stolen. The information could, for instance, have been copied onto a portable storage device by an employee.

According to a statement provided to the Tennessean, the file was copied onto the server by an employee to allow the data to be accessed by an epidemiologist, although the file was never opened.

The employee responsible for copying the file has not faced disciplinary action as the file was not moved with malicious intent. That individual has been provided with further training. Additional security controls have now been implemented to prevent similar incidents from occurring in the future.

The incident was reported to the Tennessee Department of Health, although not to the Department of Health and Human Services’ Office for Civil Rights (OCR) as Metro Health did not consider this to be a violation of HIPAA.

Consequently, patients whose PHI was exposed have not been individually notified. Larry Frampton, public policy director at Nashville CARES, has filed a complaint with OCR over the potential privacy breach requesting the incident be investigated.

Author: HIPAA Journal

Share This Post On