'Human error' sees personal data of 18,000 coronavirus patients in Wales published online

Public Health Wales said the data breach was the result of "individual human error"
Data on more 18,000 Covid-19 cases was accidentally published (file photo)
Pixabay
Imogen Braddick14 September 2020

Personal details of more than 18,000 residents in Wales who tested positive for coronavirus were accidentally uploaded to a public server, where it was searchable by anyone using the site.

In the cases of 16,179 people, the information published consisted of their initials, date of birth, geographical area and sex.

For 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who shared the same postcode as those settings, the information also included the name of the setting.

The data was for every Welsh resident who had tested positive for Covid-19 between February 27 and August 30.

Public Health Wales said the data breach was the result of "individual human error".

The health body removed the data on the morning of August 31 after being alerted to the breach.

In the 20 hours it was online, it had been viewed 56 times.

A spokesman said there was "no evidence at this stage" that the data had been misused.

Coronavirus: Weekend Round-up before New Rule of Six - In pictures

1/23

"We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed," Tracey Cooper, chief executive of Public Health Wales, said.

"I would like to reassure the public that we have in place very clear processes and policies on data protection.

"We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned.

"I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

The Information Commissioner’s Office and the Welsh Government were informed of the breach on September 2 and an external investigation has been launched, which will be led by the head of governance at the NHS Wales Informatics Service.

A risk assessment and legal advice have concluded that the risk of identifying the individuals affected by the data breach "appears low", Public Health Wales said.

The Welsh Government said it was not commenting on the data breach.

Andrew RT Davies MS, shadow health minister for the Welsh Conservatives, questioned why Health Minister Vaughan Gething had not spoken about the breach during a press conference on Monday.

"I acknowledge that the risk is considered to be ‘low’, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence," Mr Davies said.

"The Health Minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that’s unacceptable.

"When people across Wales are being asked to provide our personal data for the purposes of track and trace this revelation could well damage public confidence.”

Rhun ap Iorwerth MS, shadow health minister for Plaid Cymru, said the breach must not happen again.

"Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern," he said.

"Public Health Wales and Welsh Government have to be able to explain how exactly this happened, and give assurances that this can’t happen again.

"People need to know that information held about them and their health is in safe hands, and this will raise questions in the minds of many people."

A spokeswoman for the ICO said it would be "making enquiries" into the breach.

"Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” she said.

"Public Health Wales has made us aware of an incident and we will be making enquiries."

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in