The identities of thousands of Tennessee residents living with HIV were living on a public server accessible to people who worked at the Nashville Metro Public Health Department, the Tennessean reports.
The information was accessible for nearly nine months and included both people who were living with HIV and those who passed away. According to the Tennessean, the breach included more than just names. Employees could click and gain access to people’s social security numbers, birthdays, addresses, lab results and more. The database also listed how they identified their sexual orientation and gender and their drug histories.
The database was supposed to be accessible to three government scientists, but instead, more than 500 employees had access to the names. Most of these employees’ jobs were not related to HIV or AIDS. Metro Health officials don’t believe workers accessed the database while it was public. But, the Tennessean reports that the agency is unsure whether the system meant to track activity on the server was active or not.
“People literally are scared to death that their family and friends are going to find out they are positive,” Larry Frampton, the public policy director at Nashville CARES, told the Tennessean. “They are going to literally freak over this. They’ll think that their life is literally coming to an end.”
“They could lose their jobs,” Brady Dale Morris, who has been HIV positive for a decade, told the Tennessean. “They could lose their insurance. They could lose their homes. They could be kicked out of their church. There all kinds of implications and ramifications – being HIV positive goes into every nook and cranny of our existence.”
According to a spokesman for Metro Health, a portion of the database holding the information was moved from a secure portion of the server to another folder in July 2017. An employee discovered the mistake in April.
“To our knowledge, only the employee who moved the file to the public folder inappropriately accessed the file, simply by moving it,” Brian Todd, Metro Health spokesman, said in an email. “Her intent was to provide access to an epidemiologist within the department to analyze the data, but that epidemiologist never opened the file. So the personal information in the database was, to our knowledge, never inappropriately accessed.”
According to Todd, metadata for the server showed that it had not been “modified” since it was uploaded to the server, leading the agency to believe no one had accessed it.
According to the Tennessean, prior to the paper’s reporting, news of the breach had only been a rumor. Now, members of the state’s HIV community are prepping a class-action lawsuit against the city government. Frampton has filed a HIPAA complaint.
“I think it’s going to be a cut-and-dry case,” Frampton said. “It’s obviously a HIPAA violation. It sat on an unprotected server and no one noticed it for nine months. Anyone could have gotten this.”