Welsh data breach exposes information of Covid-19 patients

  • 15 September 2020
Welsh data breach exposes information of Covid-19 patients

Public Health Wales has confirmed a data breach which involved the personally identifiable data of Welsh residents who have tested positive for Covid-19.

The incident, which was the result of individual human error, occurred on 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for Covid-19 was uploaded by mistake to a public server where it was searchable by anyone using the site.

After being alerted to the breach, Public Health Wales said the data was removed the next morning (31 August 2020). It also confirmed that in the 20 hours it was online it had been viewed 56 times.

In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area and sex. Public Health Wales has said the risk that they could be identified was low.

However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.

The risk of identification for these individuals therefore is higher but is still considered low, Public Health Wales said.

The health body also said in a statement there is no evidence at this stage that the data has been misused.

“We recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information,” the statement added.

Public Health Wales said a risk assessment has been conducted and legal advice had been sought, both of which advise that the risk of identification of the individuals affected by this data breach appears low.

The Information Commissioner’s Office and Welsh Government have also been informed by Public Health Wales. An external investigation into the full circumstances surrounding the data breach and any lessons to be learned has also been commissioned and will be led by the Head of Information Governance at the NHS Wales Informatics Service.

Public Health Wales said it has taken “immediate steps to prevent a similar incident from happening again”. This includes establishing an Incident Management Team.

Tracey Cooper, chief executive of Public Health Wales, said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection.

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

Public Health Wales said anyone concerned that their data, or that of a close family member, may have been breached and wanting advice should firstly read the FAQs at www.phw.nhs.wales then email them at PHW.data@wales.nhs.uk if they have any additional questions.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Data published online following data breach at Alder Hey

Data published online following data breach at Alder Hey

A major data breach of Alder Hey Children’s NHS FT's online systems has seen private information published online and shared via social media.
Kootenai Health cyber attack impacts 464,000 patients

Kootenai Health cyber attack impacts 464,000 patients

US healthcare provider Kootenai Health has revealed that data belonging to 464,000 patients has been compromised following a cyber attack.
InterSystems TrakCare implemented by Digital Health and Care Wales

InterSystems TrakCare implemented by Digital Health and Care Wales

Digital Health and Care Wales is rolling out InterSystems TrakCare to help streamline pathology operations across NHS Wales.