Data breach saw Covid-19 patients' details being released

The breach occurred on the afternoon of August 30 when the personal data of 18,105 Welsh residents was uploaded by mistake to a public server where it was searchable by anyone using the site. It related to the personally identifiable data of residents who tested positive for Covid-19 between February and August this year.

After being alerted to the breach Public Health Wales (PHW) removed the data on the morning of August 31. In the 20 hours it was online it had been viewed 56 times.

Tracey Cooper, chief executive of Public Health Wales, said: “This has been a thorough investigation and we accept all of its recommendations. We take our obligations to protect people’s data extremely seriously and I am truly sorry that on this occasion we failed.”

Following the data breach, PHW said it took immediate steps to prevent a similar incident from happening again. These included establishing an incident management team to instigate remedial actions which have already resulted in changes to its standard operating procedures so that any data uploads are now undertaken by a senior member of the team.

PHW commissioned an independent investigation into the circumstances and causes of the breach following its discovery in September. The investigation, carried out by senior NHS Wales staff, was also asked to identify any recommendations aimed at reducing the likelihood and impact of a reoccurrence.

“Among the investigation’s findings, it was reported that, while the incident was the result of human error in the last step of the publishing process, the publishing process itself could have included additional safeguards,” added Ms Cooper.

“Following the data breach, we took immediate action to address this and the recommendations contained within this report also outline further areas that we can improve to prevent such an incident happening again.

“The report also stated that pressures of work may have been a factor. We acknowledge that, due to the unprecedented increase in demand for Covid-19 information, there has been significant pressure on the teams involved. While we have mobilised additional resource for our teams, it has been challenging to ensure there is sufficient resource in place to keep up with the demand and pace required. We continue to work to ensure that our people with a greater responsibility to meet the demands of the pandemic are given the support and resources they need.

“We are aware that a number of opportunities to recognise the matter as an incident requiring immediate attention were missed. We acted as soon as we became aware to address this gap, and we will continue to ensure all staff fully understand their responsibilities in relation to reporting and escalating incidents, including data breaches.

“We are committed to implementing all of the recommendations outlined in the report. We have produced an action plan which contains the necessary actions to implement the recommendations, some of which form part of existing plans. This will supplement the steps we have already taken to strengthen our procedures.

“I would like to reassure the public that the actions we have taken have led to considerable improvements aimed at preventing an incident like this occurring again.”

There is no evidence at this stage that the data was misused. However, anyone concerned that their data or that of a close family member may have been breached and wanting advice should firstly read the FAQs at www.phw.nhs.wales then email PHW at PHW.data@wales.nhs.uk if they have any additional questions. People can also call Public Health Wales on 0300 003 0032 to discuss their concerns.

The key findings and recommendations are also available to read in full in the investigation report, published on the PHW website. The action plan is also available to view.