It was a stunning admission by Metro Public Health officials last week, that thousands of Tennesseans had their HIV status information compromised. But moving forward legally might be tricky for those impacted by the data breach.
For nearly nine months, a file containing the HIV status information of thousands of Tennesseans sat on a publicly accessible server at the department.
Officials found out about the problem in April but didn't publicly acknowledge the issue until NewsChannel 5 and the Tennessean began asking questions last week. The database contains information belonging to people who tested positive for HIV as well as their social security numbers and even sexual orientation.
Metro Public Health officials maintain that the information was never accessed by anyone outside of the agency.
"Mistakes were made that made that information publicly accessible and violated people's trust and confidence," says Thomas Ritter an attorney with Thompson Burton law in Franklin.
Ritter, who is an expert is cyber security law, says patients impacted by the data breach likely wouldn't be able to go after Metro Public Health under HIPPA laws but could still possibly sue for negligence or emotional distress damages.
He also would advise Metro to use this as an opportunity to implement a more stringent security plan, which would include biannual reviews of internal security policies and procedures surrounding data governance.
"I think there’s a huge expectation of privacy that when you hand over your HIV status information, they’ll do their due diligence to protect it."