Data breach puts private info of thousands of Covid patients online

Fury as data breach blamed on ‘individual human error’ sees personal information of thousands of Welsh coronavirus patients uploaded onto public computer system

  • Personal details of almost 20,000 Welsh residents placed on a searchable server
  • Data of all Welsh resident testing positive between February 27 and August 30
  • Public Health Wales said ‘no evidence at this stage’ data had been misused  
  • Welsh Tories asked why Labour failed to mention it at morning press briefing

Private information about thousands of coronavirus patients was uploaded onto a public computer system in a major data security breach, it was revealed today.

Personal details of almost 20,000 Welsh residents affected by the disease was placed on a searchable online server, Public Health Wales confirmed today.

In the cases of 16,179 people, the information published consisted of their initials, date of birth, geographical area and gender.

However, for a further 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who shared a postcode with them, the information also included the name of the setting.

The data was for every Welsh resident who had tested positive for Covid-19 between February 27 and August 30.

Public Health Wales blamed ‘individual error and removed the data on the morning of August 31 after being alerted to the breach. In the 20 hours it was online, it had been viewed 56 times.

A spokesman said there was ‘no evidence at this stage’ that the data had been misused.

But Andrew RT Davies MS, shadow health minister for the Welsh Conservatives, questioned why Health Minister Vaughan Gething had not spoken about the breach during a press conference this morning.


Andrew RT Davies (right), shadow health minister for the Welsh Conservatives, questioned why Health Minister Vaughan Gething (top)  had not spoken about the breach during a press conference on Monday

‘I acknowledge that the risk is considered to be ”low”, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence,’ Mr Davies said.

‘The health minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that’s unacceptable.

‘When people across Wales are being asked to provide our personal data for the purposes of track and trace this revelation could well damage public confidence.’

Tracey Cooper, chief executive of Public Health Wales, said: ‘We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed.

‘I would like to reassure the public that we have in place very clear processes and policies on data protection.

‘We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned.

‘I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.’

The Information Commissioner’s Office (ICO) and the Welsh Government were informed of the breach on September 2 and an external investigation has been commissioned.

This will be led by the head of governance at the NHS Wales Informatics Service.

A risk assessment and legal advice have concluded that the risk of identifying the individuals affected by the data breach ‘appears low’, Public Health Wales said.

The Welsh Government said it was not commenting on the data breach.

Rhun ap Iorwerth MS, shadow health minister for Plaid Cymru, said the breach must not happen again.

‘Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern,’ he said.

‘Public Health Wales and Welsh Government have to be able to explain how exactly this happened, and give assurances that this can’t happen again.

‘People need to know that information held about them and their health is in safe hands, and this will raise questions in the minds of many people.’

A spokeswoman for the ICO said it would be ‘making inquiries’ into the breach.

‘Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,’ she said.

‘Public Health Wales has made us aware of an incident and we will be making enquiries.’

Source: Read Full Article