PHI of HIV Patients Exposed Because Metro Health Employee Made a Mistake

According to a report published in The Tennessean, a Metro Health employee made an error that resulted in the exposure of the protected health information of HIV and AIDS patients. The employee copied a database and uploaded it to a server, which all Nashville Metro Public Health Department employees could access, even though the employees did not have authorization to access the information. Only three government scientists should have gotten access to the information. For nine months, the database was on the server and could have been accessed by over 500 employees.

The information contained in the database included names, birth dates, addresses, sexual orientation, lab test results, HIV diagnoses, medications and Social Security numbers. The file was discovered by an employee who alerted Metro Health officials who removed the file. An analysis of the data in the file showed that patients from 12 middle Tennessee counties were affected.

An investigation was launched to find out how the file happened to be on the server and if anyone opened the file. The metadata attached to the file indicated the file was not modified while it was on the server, suggesting that the file had not been accessed. However, a server auditing feature was not activated, so if the file had been copied and downloaded it would not leave a trace. Metro Health can therefore not say with 100% certainty that the information has not been copied.

As stated in The Tennessean report, the employee copied the file to the server to give an epidemiologist access to the data, although that individual did not open the file. Because the employee did not copy the file with malicious intent, she did not face any disciplinary action, but did undergo further HIPAA training. Metro Health has since implemented additional security controls to avoid similar data breach incidents.

Metro Health reported the incident to the Tennessee Department of Health but did not considered it a HIPAA violation. Consequently, the incident was not reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and patients affected by the data breach were not individually informed. The Public Policy Director at Nashville CARES, Larry Frampton, submitted a complaint to OCR and the incident is likely to be investigated.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: