‘Human error’ blamed for data breach resulting in every positive Covid case in Wales being published
The personal data of every Welsh resident who tested positive for Covid-19 was accidentally uploaded to a public server, where it was searchable by anyone using the site.
Public Health Wales said the data breach, involving the details of 18,105 Welsh residents, was the result of “individual human error”.
In the cases of 16,179 people, the information published consisted of their initials, date of birth, geographical area and sex.
However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who shared the same postcode as those settings, the information also included the name of the setting.
The data was for every Welsh resident who had tested positive for Covid-19 between February 27 and August 30.
Public Health Wales removed the data on the morning of August 31 after being alerted to the breach. In the 20 hours it was online, it had been viewed 56 times.
A spokesman said there was “no evidence at this stage” that the data had been misused.
Tracey Cooper (pictured), chief executive of Public Health Wales, said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed.
“I would like to reassure the public that we have in place very clear processes and policies on data protection.
“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned.
“I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”
The Information Commissioner’s Office (ICO) and the Welsh Government were informed of the breach on September 2 and an external investigation has been commissioned.
This will be led by the head of governance at the NHS Wales Informatics Service.
A risk assessment and legal advice have concluded that the risk of identifying the individuals affected by the data breach “appears low”, Public Health Wales said.
The Welsh Government said it was not commenting on the data breach.
Andrew RT Davies MS, shadow health minister for the Welsh Conservatives, questioned why Health Minister Vaughan Gething had not spoken about the breach during a press conference on Monday.
“I acknowledge that the risk is considered to be ‘low’, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence,” Mr Davies said.
“The Health Minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that’s unacceptable.
“When people across Wales are being asked to provide our personal data for the purposes of track and trace this revelation could well damage public confidence.”
Rhun ap Iorwerth MS, shadow health minister for Plaid Cymru, said the breach must not happen again.
“Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern,” he said.
“Public Health Wales and Welsh Government have to be able to explain how exactly this happened, and give assurances that this can’t happen again.
“People need to know that information held about them and their health is in safe hands, and this will raise questions in the minds of many people.”
A spokeswoman for the ICO said it would be “making inquiries” into the breach.
“Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” she said.
“Public Health Wales has made us aware of an incident and we will be making enquiries.”
Copyright (c) PA Media Ltd. 2020, All Rights Reserved. Picture (c) Public Health Wales.