Due to a government error, the identities of HIV positive people in Tennessee have been released to a database accessible to all government employees in the state.
According to the New York Post, the database of private medical information was only supposed to be viewed by three scientists employed by the government. However, now over 500 Tennessee government employees have had access to it for as long as nine months.
The supposedly private database, containing the names, lab results, and social security numbers of patients living with HIV, was discovered to be stored on a shared computer server, a server that is accessible to any employee or official in the agency.
Metro Health officials told a state newspaper, The Tennessean, that they did not think the “database was improperly opened during the nine months it was on the shared server because there is at least some evidence the file was never touched.”
Officials, however, remain uncertain about what might have happened, adding that “An employee could have copied the information onto a thumb drive without anyone knowing due to a server auditing feature being left inactive.”
Officials reportedly first noticed the database was connected or shared to an open server a full two months ago, although the general public had not been aware.
Meanwhile, Tennessee residents living with HIV are alarmed that such a major error has occurred, fearing for the state and future of their jobs, health insurance, and families.
Brady Dale Morris, an HIV-positive man, told The Tennessean, “They know that, if this information got into the wrong hands, they could lose their family.”
Shocked, Morris continued, “They could lose their jobs. They could lose their insurance. They could lose their homes. They could be kicked out of their church. There all kinds of implications and ramifications — being HIV positive goes into every nook and cranny of our existence.”
While the Tennessee Department of Health has yet to conduct its own investigation, Metro Health has looked into the incident, finding no employees at fault so far.
The public policy director of Nashville CARES, Larry Frampton, filed a HIPAA complaint against the federal government in the wake of this news. Frampton commented, “I think it’s going to be a cut and dry case.”
“It’s obviously a HIPAA violation,” he continued. “It sat on an unprotected server and no one noticed it for nine months. Anyone could have gotten this.”