The Homelessness Planning Council’s HMIS Oversight and Data Committee reported a significant wrongful disclosure of protected client information and won a formal commitment from the council for immediate remedial steps.

Shanley Degnan, chair of the HMIS Oversight and Data Committee, told the council that invoices released by Metro Finance included "259 client names, a copy of their lease, which includes their new permanent address, their landlords names, their rental amount" and in several instances contact information. Degnan said that HUD technical standards consider secondary materials tied to HMIS to be protected and that the release therefore constituted an HMIS data breach.

The oversight committee presented a seven-point action plan the committee and Office of Homeless Services (OHS) jointly recommended. The steps include: identifying exactly which data were released (already obtained by the oversight committee), creating a written plan and timeline for notifying impacted clients, determining what resources (such as credit monitoring or other supports) can be offered, contacting known recipients to request destruction of the materials, drafting a Metro policy that requires OHS review of public-records requests affecting OHS data, expanding privacy and security training for departments with potential access, and reporting progress to the oversight committee on Jan. 26.

April (OHS staff) said OHS is reviewing its policy and procedures and has reached out to the Office of Family Safety to get guidance for notifying people fleeing domestic violence, adding: "This is not something that we, as OHS, take lightly." Shanley Degnan and OHS staff described collaborative work with Metro legal and Metro Finance to determine root causes and process changes.

During the meeting the council voted to send formal written correspondence to two known recipients asking that they destroy the materials and not share them further; Chair called the motion and the body approved the request with one recorded abstention. The oversight committee noted that some documents were already posted publicly in other locations and that recall may not be complete, increasing the urgency of client notification.

The committee also asked the council to consider hiring a third-party reviewer because of the scale of the disclosure and to clarify who will pay for any notification or remediation work; OHS said it would work with other Metro offices on timelines and resources and report back in January.

Next steps: the oversight committee will continue to compile the list of affected clients and coordinate with OHS and Metro Finance on a notification timeline and remedial resources. The council directed staff to draft the formal correspondence to known recipients and to report progress at the next oversight meeting.