Metro Health Employee Error Caused PHI Breach


As per a report publicized in Tennessean, one of Metro Health’s personnel made a mistake causing the exposure of the protected health information (PHI) of patients with HIV or AIDS. The employee copied the data held in a database and loaded it to a server giving all Nashville Metro Public Health Department personnel access to the data, even though a lot of those people shouldn’t have access to the data. Access to the information was supposedly for three government scientists only.

For nine months, over 500 employees could have accessed the database until an employee discovered the file who quickly informed the Metro Health officers. The data contained in the file included the patients’ names, addresses, birth dates, sexual orientation, laboratory examination results, HIV diagnoses, prescription drugs and Social Security numbers. However, the data was limited to individuals residing in 12 middle Tennessee counties.

It had been just 2 months ago when the data file was discovered. An investigation was launched to determine what happened to the file and how it reached the server and if any person accessed the sensitive data. The investigations show that no one accessed the file but it cannot be 100% certain that it was not accessed at all. The metadata that come with the file also show the data file was not altered while it remained on the server. The server auditing feature should have been enabled, so that it would have been easy to find out if anyone accessed or copied the document because it would have been traceable. Unfortunately, it was not.

As the Tennessean report stated, the employee uploaded a copy of the file to the server to allow an epidemiologist to access the information. However the individual did not open the file. Since the employee had no malicious intention, no disciplinary action was imposed on him but he did go through more training. Metro Health applied even more security settings to prevent the occurrence of similar data breaches.

Metro Health submitted the incident report to the Tennessee Department of Health. It was not regarded as a HIPAA violation by Metro Health, hence a breach report was not submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR). The patients impacted by the data breach did not receive breach notification individually. Public Policy director at Nashville CARES Larry Frampton sent a complaint to OCR so that the breach incident may be looked into.