Human error blamed in Welsh Covid-19 patient data leak

Public Health Wales (PHW) has accepted in full the recommendations of an independent investigation which found that simple human error was to blame for the August 2020 data leak that saw the personal data of 18,105 people who had received a positive Covid-19 test made publicly available.

The breach occurred on 30 August when data being entered into the organisation’s Tableau business intelligence platform was published to a live public server, where it remained searchable by anyone viewing the PHW website. During the 20 hours it remained available, it was viewed 56 times.

The investigation, led by NHS Wales Informatics Service head Darren Lloyd and NHS Wales information sharing and governance manager John Sweeney, found no evidence that the data was misused, and reported that the publication of the data was entirely in error.

During the investigation, they said, senior managers “spoke highly” of the individuals within their team, and saw the breach as a series of unintended consequences arising from a mistake any one of them could have made, and was not the result of any malicious intent. They have also published an action plan setting out a number of improvements to processes and procedures at PHW.

PHW chief executive Tracey Cooper said: “This has been a thorough investigation and we accept all of its recommendations. We take our obligations to protect people’s data extremely seriously and I am truly sorry that on this occasion we failed.

“Among the investigation’s findings, it was reported that, while the incident was the result of human error in the last step of the publishing process, the publishing process itself could have included additional safeguards. Following the data breach, we took immediate action to address this and the recommendations contained within this report also outline further areas that we can improve to prevent such an incident happening again.

“The report also stated that pressures of work may have been a factor. We acknowledge that, due to the unprecedented increase in demand for Covid-19 information, there has been significant pressure on the teams involved.”

Cooper added: “While we have mobilised additional resource for our teams, it has been challenging to ensure there is sufficient resource in place to keep up with the demand and pace required. We continue to work to ensure that our people with a greater responsibility to meet the demands of the pandemic are given the support and resources they need.”

She said PHW was committed to implementing all the recommendations contained in the report, and reiterated that steps already taken have led to “considerable improvements” in the organisation’s cyber security posture.

Gurucul CEO Saryu Nayyar commented: “Human error is, unfortunately, a common root cause for data exposure, as it was here in the Public Health Wales case. However, it also appears there were issues with policies and procedures that made the human error possible.

“Information security is not a set it and forget it process. Organisations need to continually review and revise their tools and procedures to keep them effective.  Process needs to be in place to minimise the risk of human error, and tools like behavioural analytics need to be deployed to recognise and mitigate risk before it leads to exposures like this one.”

But Chloé Messdaghi, vice-president of strategy at Point3 Security said PHW had not been as open about the incident as it could have been.

“This notice doesn’t inform about what personal data has been leaked and is now out there – leaving those impacted and their families hanging,” she said. “They did apologise but we can only hope they’ve been more forthcoming with the victims than with the public.”

An investigation into the incident by the Information Commissioner’s Office is ongoing.