Public Health Wales says leak that affected more than 18,000 people to have tested positive was attributable to ‘human error’

Credit: Katie Collins/EMPICS Entertainment

Personal information of every person in Wales to have tested positive for coronavirus up to the end of last month has been compromised in a data breach.

The incident occurred on 30 August when an employee of Public Health Wales was uploading data to the Tableau business-intelligence software platform used by the organisation.

“Unfortunately, at the last minute, the member of staff clicked to publish on the public-facing server rather than the internal restricted one,” Public Health Wales said.

The personal data of 18,105 people that have tested positive for coronavirus was thus published; this represents all confirmed cases of the disease in Wales from the first positive test on 27 February through to the date of the breach.

In 16,179 cases, the data leaked included the individual’s initials, sex, date of birth, and local authority area.

The remaining 1,926 people live in “closed settings”, such as a nursing home or supported-living facility – or share a postcode with such a setting. In these cases, the name of this setting was also published. 

Related content

• Whitehall departments reported 500 personal data breaches to ICO in FY20
• How digital records are changing NHS care in Wales
• GDPR blamed for doubling of Whitehall’s recorded data breaches

“[Data published] did not contain the person’s NHS number and we do not believe it would be possible to access other health or financial records using this data alone,” Public Health Wales said. “However, we recognise that the disclosure of any confidential personal information is likely to cause concern and anxiety among those affected and we deeply regret that this has happened.”

Information was publicly visible from 2pm on 30 August until 9.50am the following day. It was viewed 56 times during that period, but it is not possible to identify who did so, according to the health authority.

Those affected by the breach are not being individually contacted as Public Health Wales has “concluded, after legal advice and consultation with the ICO, that writing to all those affected is not required in this case because the risk to them is considered low”.

It added: “There is no evidence that any of the personal information involved in the data breach has been misused and we do not believe it would be possible to access other health or financial records using this information alone. However, we are monitoring the situation.”

The breach took place on the Saturday and Sunday of the August bank holiday weekend and the Information Commissioner’s Office and the Welsh Government was notified of the incident on Wednesday 2 September.

The ICO is understood to be examining the breach and Public Health Wales has also commissioned an external review, to be led by the head of information governance at the NHS Wales Informatics Service.  

This review, which is due to report back in four weeks’ time, will “look into exactly how this happened and what lessons can be learned”. Its investigation will include an examination of why the data in question was not “anonymised or pseudonymised”.

“The data was designed to be identifiable only by those with other detailed information on recent cases, who already need to have access to named patient data through our health protection response, in order to provide public health advice,” Public Health Wales said. “This was an internal dashboard designed for these NHS professionals and was published publicly in error.”

While the review goes on, the health agency has already “taken immediate steps to prevent a similar incident from happening again”. 

This includes the creation of an incident-management team tasked with overseeing “remedial actions”.

“[This has] already resulted in changes to our standard operating procedures so that any data uploads are now undertaken by a senior member of the team,” Public Health Wales said. “We have also informed our health board and local authority partners and have kept them up to date with the position.”

Other measures implemented in light of the incident include separating processes for the use of internal and external dashboards, and instituting additional checks on servers.

Tracey Cooper, chief executive of Public Health Wales said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

Anyone concerned about their data or that of a loved one having been compromised is advised to call 0300 003 0032 or email phw.data@wales.nhs.uk.