Data of every Welsh Covid-19 patient leaked online

Public Health Wales (PHW) has issued an apology and referred itself to the Information Commissioner’s Office after accidentally leaving the personal data of 18,105 individuals – everybody in Wales who tested positive for Covid-19 between 27 February and 30 August – exposed on a public server where it was searchable by any visitor to its website.

The leak occurred on the afternoon of 30 August 2020 and the data remained viewable for just under 24 hours, during which time it was viewed 56 times, said PHW.

For most of those affected, the data consisted of initials, birth dates, location and gender, which the organisation said meant that the risk that anybody could be identified was low – it has conducted a risk assessment and received legal advice to this effect.

However, for 1,926 people living in care homes or other similar settings, such as supported housing, the information also included the name of that setting, putting them at slightly elevated risk.

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed,” said PHW chief executive Tracey Cooper. “I would like to reassure the public that we have in place very clear processes and policies on data protection.

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure the public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

PHW said its investigation had found that a staff member set out to upload the data into its business intelligence platform Tableau, but accidentally clicked to publish to the public-facing server instead of the internal, restricted one.

It said there was no evidence of misuse of data, but nevertheless, as per its legal obligations, it has informed the relevant authorities and commissioned an external investigation, to be led by the head of information governance in the NHS Wales Informatics Service, which is expected to report back in the next month.

PHW has also set up an incident management team to instigate remedial action, and has already made a number of changes to its standard operating procedures, such as who is allowed to control and upload data within the organisation.

Any people in Wales who have had a positive Covid-19 test and are still concerned can read more details and FAQs concerning the incident online, contact PHW via email at [email protected], or phone 0300 003 0032.

“Clearly, this is an unfortunate mistake,” said Richard Meeus, security, technology and strategy director at Akamai Technologies. “Sadly, these kinds of issues are something we often observe across the online world, so it is essential that companies continuously work to educate employees of their responsibilities when handling personal data and the crucial considerations around GDPR [General Date Protection Regulation].

“Furthermore, businesses and organisations can adopt measures themselves that prevent or mitigate the impact of a potential situation like this, such as employing the principle of least privilege, which states that employees can only perform actions required to do their job, allowing for additional checks and verifications for processes that could have unwanted consequences.”