Public Health Wales has announced that a data breach has seen the data of Welsh Covid-19 sufferers posted to publicly accessible server.
According to a statement from PHW, individual error was behind the breach which saw personally identifiable data of 18,105 people added to the server. This accounts for all those diagnosed as positive in Wales at the time.
The breach happened on the afternoon of 30th August 2020, with the data being removed in the morning on 31st August. PHW said that was 56 times in the 20 hours it was online. PHW noted that there was no way to track who had viewed the data.
According to PHW, 16,179 people had their initials, date of birth, geographical area and sex leaked. PHW said that the risk of these people being identified was low.
However, 1,926 people were at a higher risk of identification – these are largely people who live in communal housing, such as nursing homes, supported housing, or those who share the same postcode as these places. These people had the name of their accommodation leaked as well.
PHW assured that the risk to these people was still considered low.
“There is no evidence at this stage that the data has been misused. However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information,” the health body said in its statement.
The breach occurred when a PHW staff member tried to upload the data to the group’s business intelligence software Tableau. The person clicked the wrong button, publishing to the public-facing server rather than the internal restricted one.
“The member of staff followed the standard operating procedures for publishing the data but made a mistake when choosing which server to upload to,” PHW said.
- Former Uber security chief charged over alleged data breach cover-up
- Major Marriott data breach triggers class action suit in latest attack
- Database of 8bn Thai internet records exposed in major data breach
PHW has since conducted a risk assessment and sought legal advice over the breach. The body said that both the assessment and the advice confirmed that there was a low risk of the data identifying affected individuals.
PHW has also informed the Information Commissioner’s Office and the Welsh Government. The health body has commissioned an external investigation, led by the Head of Information Governance at the NHS Wales Informatics Service, into the full circumstances surrounding the data breach.
It has also informed the health board and its local authority partners and is keeping them up to date with the situation. In the meantime, PHW has established an Incident Management Team, which has made it so that senior team members are now responsible for data uploads.
Tracey Cooper, Chief Executive of Public Health Wales, said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed.
“I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”