Details of 18,000 who tested positive for COVID-19 accidentally published

An online mistake by Public Health Wales has seen the details of more than 18,000 people who tested positive for coronavirus published.

Public Health Wales said “The incident, which was the result of individual human error, occurred on the afternoon of 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for COVID-19 was uploaded by mistake to a public server where it was searchable by anyone using the site.”

“After being alerted to the breach we removed the data on the morning of 31 August. In the 20 hours it was online it had been viewed 56 times.”

The body has now conducted a risk assessment and sought legal advice, and said “both of which advise that the risk of identification of the individuals affected by this data breach appears low.”

The information published included their initials, date of birth, geographical area and sex meaning that the risk they could be identified is low. However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.

PHW said “There is no evidence at this stage that the data has been misused. However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information.”

Tracey Cooper, Chief Executive of Public Health Wales, said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

In response to the event, Richard Meeus, Security, Technology and Strategy Director of Akamai Technologies said: “Clearly, this is an unfortunate mistake. Sadly, these kinds of issues are something we often observe across the online world so it’s essential that companies continuously work to educate employees of their responsibilities when handling personal data and the crucial considerations around GDPR.”