Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Puzzling Health Dept. Privacy Incident Exposes HIV DataThousands of Individuals' Data Was Allegedly Accessible to All Agency Workers
An incident involving an unsecured database containing information about thousands of HIV/AIDS patients in Tennessee is shining a spotlight on privacy risks involving sensitive health data.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Security experts say the incident reinforces the need to conduct a risk analysis when environmental or operational changes are made that potentially impact data security and privacy.
According to the Tennessean news site, for about nine months, information dating back as far as 1983 about individuals in Tennessee with HIV/AIDS was left accessible on a shared computer server open to all staff members at the Nashville Metro Public Health Department.
The database was supposed to be accessible to only three government scientists, but instead was accessible to the agency's more than 500 employees, most of whom do not work on HIV or AIDS related issues, according to the news report.
In addition to identities of HIV/AIDS patients, the unsecured database allegedly contained Social Security numbers, birthdays, addresses, lab results and intimate details, such as whether individuals were gay, bisexual or transgender - and whether they ever used illegal drugs.
Source of Data
The data that was placed on the shared server at Metro Public Health was sourced from the U.S. Centers for Disease Control and Prevention's Enhanced HIV/AIDS Reporting System. The eHARS nationwide database has been compiled by the federal government since 1983.
HIV patients are automatically added to eHARS when their infection is first confirmed in a laboratory test, even if individuals do not disclose their status to others or seek support services, the Tennessean reports. Individuals' data remains in the database even after death.
Metro Public Health confirmed to the Tennessean that data from the eHARs database containing information about individuals with HIV/AIDs in 12 Tennessee counties was inappropriately moved by a staff member from a secure portion of the Nashville health agency's shared computer server in July 2017.
The data was initially moved to a server folder reserved for the Ryan White Program, an HIV grant program, then moved again a day or two later to another server folder that was accessible to all Metro Public Health employees, according to the news report. The data stayed in this folder until it was discovered by an employee in April.
A Metro Public Health spokesman told the Tennessean that the employee who moved the file to the public folder apparently was the only individual who inappropriately accessed the file. "Her intent was to provide access to an epidemiologist within the department to analyze the data, but that epidemiologist never opened the file. So the personal information in the database was, to our knowledge, never inappropriately accessed," the Metro Public Health spokesman said.
Metro Public Health officials do not believe the database had been improperly accessed for two primary reasons, the Tennessean reports. "First, the eHARS database was kept in an uncommon file format, known as SAS, which is used by only eight agency employees; and second, metadata attached to the file showed it had not been 'modified' since it was uploaded to the shared server last summer," the spokesman reportedly said.
But computer files can be duplicated without modifying their metadata, and a version of the SAS program can be legally downloaded by anyone for free online, according to the news report. The server's auditing feature, which normally tracks all activity on the server, apparently had been left off, the report notes. Therefore, anyone with access to Metro Public Health's shared server could potentially have copied the database and then opened it later on a computer outside of the building, according to the Tennessean.
Metro Public Health reported the incident to the Tennessee Department of Health, but the state agency did not conduct its own investigation, a spokeswoman for the state agency tells Information Security Media Group.
"The Tennessee Department of Health was alerted of the situation at Metro Public Health Department regarding concerns about the confidentiality of data. Upon inquiry, the Tennessee Department of Health received the findings of Metro Public Health Department's internal investigation which did not reveal any data had been made public," she says. No separate Tennessee Department of Health investigation was warranted, and no further investigations are planned by the state health department, she says.
Metro Public Health also reportedly did not consider the incident a violation of HIPAA, and so the Nashville agency did not notify the HIV community or the U.S. Department of Health and Human Services' Office for Civil Rights about the incident. The Nashville agency did not immediately respond to ISMG's request for comment on the incident.
Some security experts say determining whether the incident was, indeed, a HIPAA violation is challenging.
"From a HIPAA perspective, impermissible uses and disclosures can occur inside an organization, particularly if PHI is shared with individuals beyond what is required by the minimum necessary standard under the HIPAA Privacy Rule."
—Attorney Iliana Peters
"From a HIPAA perspective, impermissible uses and disclosures can occur inside an organization, particularly if protected health information is shared with individuals beyond what is required by the minimum necessary standard under the HIPAA Privacy Rule, which includes the requirement to implement role-based access to PHI," says privacy attorney Iliana Peters of the law firm Polsinelli. She is a former senior adviser at OCR.
"That said, a breach under HIPAA depends on whether there is more than a low risk of compromise to the PHI that was affected, and such determination depends on the analysis, evidence and documentation that the entity has and would have to produce to OCR and any particular state agency if and when asked."
David Holtzman, vice president of compliance at security consultancy CynergisTek, says the news account of data security practices of the Metro Public Health Department strongly suggests that the confidentiality of especially sensitive personal information has been compromised.
"The agency's lack of transparency leaves observers left to guess if this data was protected by the HIPAA rules or whether Tennessee's breach notification laws would apply," he notes. "The authority for the department's collection of the information may be connected with federal Ryan/White HIV/AIDS program administered by the Health Resources and Services Administration, an agency of HHS."
The incident, he says, "goes to illustrate the vacuum that can be created by the fragmented approach to data protection and rights to privacy."
Lessons to Learn
So what lessons can other entities handling sensitive health information learn from the Nashville privacy incident?
"The most important lesson to learn from this type of incident is that the HIPAA Security Rule requires an evaluation in response to environmental or operational changes affecting the security of electronic PHI, and such evaluations, when appropriately undertaken, generally prevent these types of incidents, as the entity would have determined how the PHI would be affected by any environmental or operational change," Peters notes.
"Any evaluation would also include assessment of reasonable and appropriate access controls and encryption, which - particularly where sensitive information is concerned - are so important to implement."
Holtzman says the incident is an important reminder that any organization creating or maintaining sensitive personal information should perform an enterprisewide risk assessment to identify the threats and vulnerabilities to the confidentiality, integrity and availability to the data.
"Use the risk assessment to develop a plan of action that prioritizes those areas that pose the highest risk of compromise to the information system," he says. "Make it a management imperative in your organizations to follow through on investment and attention to information security."
Federal regulators, as well as some state attorneys general offices, have issued hefty fines in a number of other privacy cases involving HIV information. Some of these incidents have also led to class action lawsuits.
For instance, health insurer Aetna in January settled two lawsuits related to a mailing mishap potentially exposing HIV related information of about 12,000 plan members. That includes a $17.2 million settlement in a class action lawsuit filed against the company and a $1.15 million settlement with the New York state attorney general's office.
In May 2017, St. Luke's-Roosevelt Hospital Center in New York agreed to a $387,000 settlement and corrective action plan to settle with OCR a case involving "careless handling of HIV information" for just two patients.
In 2011, Massachusetts General Hospital and its physicians organization entered into a resolution agreement with OCR that included paying a $1 million settlement and taking corrective action in a 2009 case involving the loss on a subway train of paper scheduling documents containing information on 192 patients, including some with HIV/AIDS.