PHI of HIV Patients Exposed Because Metro Health Employee Made a Mistake

According to a report published in The Tennessean, a Metro Health employee made an error that resulted in the exposure of the protected health information of HIV and AIDS patients. The employee copied a database and uploaded it to a server, which all Nashville Metro Public Health Department employees could access, even though the employees did not have authorization to access the information. Only three government scientists should have gotten access to the information. For nine months, the database was on the server and could have been accessed by over 500 employees.

The information contained in the database included names, birth dates, addresses, sexual orientation, lab test results, HIV diagnoses, medications and Social Security numbers. The file was discovered by an employee who alerted Metro Health officials who removed the file. An analysis of the data in the file showed that patients from 12 middle Tennessee counties were affected.

An investigation was launched to find out how the file happened to be on the server and if anyone opened the file. The metadata attached to the file indicated the file was not modified while it was on the server, suggesting that the file had not been accessed. However, a server auditing feature was not activated, so if the file had been copied and downloaded it would not leave a trace. Metro Health can therefore not say with 100% certainty that the information has not been copied.

As stated in The Tennessean report, the employee copied the file to the server to give an epidemiologist access to the data, although that individual did not open the file. Because the employee did not copy the file with malicious intent, she did not face any disciplinary action, but did undergo further training. Metro Health has since implemented additional security controls to avoid similar data breach incidents.

Metro Health reported the incident to the Tennessee Department of Health but did not considered it a HIPAA violation. Consequently, the incident was not reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and patients affected by the data breach were not individually informed. The Public Policy Director at Nashville CARES, Larry Frampton, submitted a complaint to OCR and the incident is likely to be investigated.