Data breach exposes details of 18,000 people who tested positive for COVID-19

Human error sees Welsh residents' details leaked for 20 hours on a public-facing server

The initials, date of birth, geographical area and gender of more than 18,000 Welsh residents who tested positive for COVID-19 was exposed for 20 hours during the August bank holiday weekend.

While in the majority of cases, 16.179 individuals, the risk of identifying people is low, the data breach also saw the location of 1,926 people living in nursing homes or other enclosed settings exposed.

The incident was the result of human error, according to Public Health Wales, and arose when an employee was transferring the data of positive COVID-19 tests to the business intelligence software Tableau on 30 August. 

At the last minute, the staff member clicked to publish the data to the public-facing server rather than the internal restricted one, causing the data to be exposed for 20 hours until it was discovered and removed.

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection,” said chief executive of Public Health Wales, Tracey Cooper. 

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

This data was collected from laboratories by the Communicable Disease Surveillance Centre (CDSC), which is the epidemiological investigation branch of Public Health Wales, and is used by the organisation to improve the national response to fighting the virus. This data is not the same as used by the NHS app, nor is it the same data collected by the national test and trace scheme, which is stored and processed on a separate system. 

Having conducted a risk assessment and sought legal advice, Public Health Wales has determined the risk of identification of the exposed individuals is low, with no evidence so far the data has been misused. That said, 56 individuals accessed the leaked data during the 20 hour period, although Tableau does not offer functionality to track who specifically has viewed the data.

Public Health Wales claims it has taken steps to prevent a similar incident from occurring again, namely establishing an incident management team to instigate remedial actions. Such steps include changing the standard operating procedures so that any data uploads are undertaken by a senior member of the team.

Related Resource

Building a modern information governance strategy

How to rethink your approach to develop a more modern information governance strategy

How to build a modern information governance strategyDownload now

The organisation also informed the Information Commissioner’s Office (ICO) on 2 September, in accordance with requirements under GDPR, as well as the Welsh government. 

“Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” an ICO spokesperson said. “Public Health Wales has made us aware of an incident and we will be making enquiries.”

The head of information governance at the NHS Wales Informatics Service will also be conducting an investigation into the data breach to uncover the full circumstances as well as any potential lessons that can be learned.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Apple iPad (2021) review: The best entry-level iPad
tablets

Apple iPad (2021) review: The best entry-level iPad

12 Oct 2021