A computer database with comprehensive, detailed information on the identities of thousands of people living with HIV in Tennessee was left on an unprotected computer server accessible to the entire staff (more than 500 employees) of the Nashville Metro Public Health Department for more than nine months, according to The Tennessean.
Reporting from the newspaper confirmed that the database included names, Social Security numbers, sexual identities and preferences, and other personal information, such as birthdays and addresses.
Though officials don’t believe that the information was improperly accessed during its time on the shared server, an auditing feature that would have tracked such activity was not active, according to The Tennessean.
Metro Health denies that the system was breached. According to The Tenessean, Metro Public Health’s director, Bill Paul, released a statement saying, “We know of no employees that opened the file, and the private information remained, and remains, private and protected.”
But the statement hasn’t calmed everyone potentially affected by the breach.
“They know that, if this information got into the wrong hands, they could lose their family,” Brady Dale Morris, 42, who has been HIV positive for about a decade, told The Tennessean. “They could lose their jobs. They could lose their insurance. They could lose their homes. They could be kicked out of their church. There all kinds of implications and ramifications—being HIV positive goes into every nook and cranny of our existence.”
The Tennessean reports that the information in the database came from a federal government program that has been collecting the personal information of those diagnosed with HIV nationwide since 1983, known as the Enhanced HIV/AIDS Reporting System (eHARS).
Metro Health reported that the portion of the database that was made susceptible contained the information of 12 counties in Middle Tennessee.
In his reporting for The Tennessean, journalist Brett Kelman provides some context: “Normally, eHARS is used to study and help combat the HIV epidemic, providing the single best data about patients and infections at a state, county or city level. This is especially true in Middle Tennessee, an HIV high-risk region, where eHARS data is used to allot millions in federal funding for support, treatment and prevention programs. Despite this funding, the community leaders said many HIV patients remain wary of the mere existence of a database, concerned that if their status is ever documented on a government list it could someday be revealed and misused.”
Larry Frampton, the public policy director at AIDS organization Nashville CARES, told the newspaper he has filed an official Health Insurance Portability and Accountability Act (HIPPA) complaint with the federal government. (Enacted in 1996, HIPPA protects patient confidentiality.)
“People literally are scared to death that their family and friends are going to find out they are positive,” Frampton said in the Tennessean.