Data breach exposes details of 18,000 people who tested positive for COVID-19

Human error sees Welsh residents' details leaked for 20 hours on a public-facing server

The initials, date of birth, geographical area and gender of more than 18,000 Welsh residents who tested positive for COVID-19 was exposed for 20 hours during the August bank holiday weekend.

While in the majority of cases, 16.179 individuals, the risk of identifying people is low, the data breach also saw the location of 1,926 people living in nursing homes or other enclosed settings exposed.

The incident was the result of human error, according to Public Health Wales, and arose when an employee was transferring the data of positive COVID-19 tests to the business intelligence software Tableau on 30 August. 

At the last minute, the staff member clicked to publish the data to the public-facing server rather than the internal restricted one, causing the data to be exposed for 20 hours until it was discovered and removed.

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection,” said chief executive of Public Health Wales, Tracey Cooper. 

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

This data was collected from laboratories by the Communicable Disease Surveillance Centre (CDSC), which is the epidemiological investigation branch of Public Health Wales, and is used by the organisation to improve the national response to fighting the virus. This data is not the same as used by the NHS app, nor is it the same data collected by the national test and trace scheme, which is stored and processed on a separate system. 

Having conducted a risk assessment and sought legal advice, Public Health Wales has determined the risk of identification of the exposed individuals is low, with no evidence so far the data has been misused. That said, 56 individuals accessed the leaked data during the 20 hour period, although Tableau does not offer functionality to track who specifically has viewed the data.

Public Health Wales claims it has taken steps to prevent a similar incident from occurring again, namely establishing an incident management team to instigate remedial actions. Such steps include changing the standard operating procedures so that any data uploads are undertaken by a senior member of the team.

Related Resource

Building a modern information governance strategy

How to rethink your approach to develop a more modern information governance strategy

How to build a modern information governance strategyDownload now

The organisation also informed the Information Commissioner’s Office (ICO) on 2 September, in accordance with requirements under GDPR, as well as the Welsh government. 

“Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” an ICO spokesperson said. “Public Health Wales has made us aware of an incident and we will be making enquiries.”

The head of information governance at the NHS Wales Informatics Service will also be conducting an investigation into the data breach to uncover the full circumstances as well as any potential lessons that can be learned.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
REvil threatens to release Apple’s hardware schematics

REvil threatens to release Apple’s hardware schematics

21 Apr 2021