Thousands of HIV or AIDS patients — living or dead — may have had their health information dating as far back as 1983 compromised for about nine months when a database was left accessible to staff at the Nashville Metro Public Health Department, according to a Tennessean news report.
The database was only meant to be viewable for three government scientists; however, more than 500 employees at the agency were able to access it. The information stored on the database includes patients' identities, Social Security numbers, birthdays, addresses, lab results and intimate information, such as sexual preference and illegal drug use. Most of the affected individuals were from 12 Middle Tennessee counties.
Metro Health officials discovered the database — which was originally part of the Enhanced HIV/AIDS Reporting System, a federal initiative to collect all HIV patients' information — on a shared server in May. Most of the employees who had access to it don't do work related to HIV or AIDS, but officials don't believe it was improperly opened, citing evidence the file was never touched. However, officials cannot definitively say whether the data had been viewed because a server auditing feature that tracks activity was inactive.
"To our knowledge, only the employee who moved the file to the public folder inappropriately accessed the file, simply by moving it," a department spokesperson told the Tennessean in an email. "Her intent was to provide access to an epidemiologist within the department to analyze the data, but that epidemiologist never opened the file. So the personal information in the database was, to our knowledge, never inappropriately accessed."