IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Data breach exposes details of 18,000 people who tested positive for COVID-19

Human error sees Welsh residents' details leaked for 20 hours on a public-facing server

The initials, date of birth, geographical area and gender of more than 18,000 Welsh residents who tested positive for COVID-19 was exposed for 20 hours during the August bank holiday weekend.

While in the majority of cases, 16.179 individuals, the risk of identifying people is low, the data breach also saw the location of 1,926 people living in nursing homes or other enclosed settings exposed.

The incident was the result of human error, according to Public Health Wales, and arose when an employee was transferring the data of positive COVID-19 tests to the business intelligence software Tableau on 30 August. 

At the last minute, the staff member clicked to publish the data to the public-facing server rather than the internal restricted one, causing the data to be exposed for 20 hours until it was discovered and removed.

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection,” said chief executive of Public Health Wales, Tracey Cooper. 

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

This data was collected from laboratories by the Communicable Disease Surveillance Centre (CDSC), which is the epidemiological investigation branch of Public Health Wales, and is used by the organisation to improve the national response to fighting the virus. This data is not the same as used by the NHS app, nor is it the same data collected by the national test and trace scheme, which is stored and processed on a separate system. 

Having conducted a risk assessment and sought legal advice, Public Health Wales has determined the risk of identification of the exposed individuals is low, with no evidence so far the data has been misused. That said, 56 individuals accessed the leaked data during the 20 hour period, although Tableau does not offer functionality to track who specifically has viewed the data.

Public Health Wales claims it has taken steps to prevent a similar incident from occurring again, namely establishing an incident management team to instigate remedial actions. Such steps include changing the standard operating procedures so that any data uploads are undertaken by a senior member of the team.

Related Resource

Building a modern information governance strategy

How to rethink your approach to develop a more modern information governance strategy

How to build a modern information governance strategyDownload now

The organisation also informed the Information Commissioner’s Office (ICO) on 2 September, in accordance with requirements under GDPR, as well as the Welsh government. 

“Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” an ICO spokesperson said. “Public Health Wales has made us aware of an incident and we will be making enquiries.”

The head of information governance at the NHS Wales Informatics Service will also be conducting an investigation into the data breach to uncover the full circumstances as well as any potential lessons that can be learned.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Salaries for the least popular programming languages surge as much as 44%

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022