Public Health Wales yesterday announced a data breach involving the personally identifiable data of 18,105 people resident in Wales who had received a positive test for Covid-19.
In a statement, the health body attributed the incident to “individual human error”, whereby the data was mistakenly uploaded to a public server on 30 August, remaining searchable for 20 hours before its removal on the morning of 31 August. During this period, where anyone using the site could access the data, it was viewed 56 times.
The information in most cases comprised initials, date of birth, geographical area and sex, meaning risk of identification was deemed low. But the setting name was revealed in data for 1,926 residents of enclosed settings such as nursing homes, supported housing, or addresses sharing the same postcode as such settings. This raises the risk of identification, but is still “low”, according to Public Health Wales. At this point, there is no evidence suggesting any data has been misused.
The breach has been reported to the Information Commissioner’s Office and Welsh Government, and an external investigation has been commissioned.
Tracey Cooper, chief executive of Public Health Wales said, “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”