The identities of thousands of Tennessee citizens with HIV was listed on a server that could be accessed by hundreds of employees due to an error by the government, a report stated.
Information on the Tennesseans with HIV or AIDS was on a computer database meant to only be accessible to three government scientists. However, the information was made accessible to more than 500 employees at the Nashville Metro Public Health Department, The Tennessean reported.
Their social security numbers, lab results, birthdays and intimate details were also available on the database. Two months ago, officials discovered the database “containing medical information about Middle Tennessee HIV and AIDS patients was stored on a shared computer server open to the entire agency,” The Tennessean reported.
Metro Health officials said they did not believe the “database was improperly opened during the nine months it was on the shared server because there is at least some evidence the file was never touched,” The Tennessean reported. However, officials said they could not be sure because an employee could have copied the information onto a thumb drive without anyone knowing due to a server auditing feature being left inactive.
The potential breach has left some with HIV and AIDS feeling exposed.
“They know that, if this information got into the wrong hands, they could lose their family,” Brady Dale Morris, 42, who is HIV positive, told the newspaper.
“They could lose their jobs. They could lose their insurance. They could lose their homes. They could be kicked out of their church. There all kinds of implications and ramifications – being HIV positive goes into every nook and cranny of our existence,” he continued.
A Metro Health spokesman told The Tennessean no employee has been reprimanded and the incident was investigated. The agency reported it to the Tennessee Department of Health but it did not open its own investigation.
Larry Frampton, public policy director of Nashville CARES, said he filed a HIPAA complaint with the “federal government law week.”
“I think it’s going to be a cut-and-dry case,” Frampton said. “It’s obviously a HIPAA violation. It sat on an unprotected server and no one noticed it for nine months. Anyone could have gotten this.”