Tennessee health data breach exposes information on thousands of HIV patients

The affected data, covering residents of 12 counties, was publicly accessible for nine months before it was discovered.

The personal health information of thousands of of HIV and AIDS patients in central Tennessee was left available for any employee of a regional health agency to access upon for a nine-month period, Nashville health officials acknowledged this week.

The data breach, which was reported by the Tennesseean newspaper , exposed patients being treated by the Nashville Metro Public Health — which covers Nashville and 12 surrounding counties — including names, addresses and dates of birth, along with much more intimate details like HIV statuses, sexual orientations, gender identities and drug-use histories.

The database, which contains information from the Centers for Disease Control and Prevention, is only supposed to be accessible to three employees who work with HIV and AIDS patients. But, according to the Tennessean, the database was left on a shared server accessible to as many as 500 public health workers.

Authorities do not believe any unauthorized personnel accessed the file before the breach was discovered in April, but the possibility that it might have been accessed posed a big risk to the affected patients. Advocates for AIDS research say that disclosing patients’ identities without their consent can often make them less likely to seek treatment for the chronic immune-system disease or lead them to be ostracized by friends, family or employers.


“They know that, if this information got into the wrong hands, they could lose their family,” Nashville resident Brady Dale Morris, who is HIV-positive, told the Tennessean.

But, the report says, officials also have no way to be sure the database was never accessed. A Metro Health spokesman told the Tennessean that the patient file was supposed to be stored in a folder for the Ryan White Program, a federal grant initiative that provides funding to AIDS treatment facilities. But it was moved to a public folder last year by an employee who placed it there expecting it to be opened by a hospital epidemiologist. When it wasn’t opened, it remained in the public folder until it was discovered in April.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts