Data breach exposes details of 18,000 people who tested positive for COVID-19

A gloved medical employee conducting research on COVID-19
(Image credit: Shutterstock)

The initials, date of birth, geographical area and gender of more than 18,000 Welsh residents who tested positive for COVID-19 was exposed for 20 hours during the August bank holiday weekend.

While in the majority of cases, 16.179 individuals, the risk of identifying people is low, the data breach also saw the location of 1,926 people living in nursing homes or other enclosed settings exposed.

The incident was the result of human error, according to Public Health Wales, and arose when an employee was transferring the data of positive COVID-19 tests to the business intelligence software Tableau on 30 August.

At the last minute, the staff member clicked to publish the data to the public-facing server rather than the internal restricted one, causing the data to be exposed for 20 hours until it was discovered and removed.

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection,” said chief executive of Public Health Wales, Tracey Cooper.

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

This data was collected from laboratories by the Communicable Disease Surveillance Centre (CDSC), which is the epidemiological investigation branch of Public Health Wales, and is used by the organisation to improve the national response to fighting the virus. This data is not the same as used by the NHS app, nor is it the same data collected by the national test and trace scheme, which is stored and processed on a separate system.

Having conducted a risk assessment and sought legal advice, Public Health Wales has determined the risk of identification of the exposed individuals is low, with no evidence so far the data has been misused. That said, 56 individuals accessed the leaked data during the 20 hour period, although Tableau does not offer functionality to track who specifically has viewed the data.

Public Health Wales claims it has taken steps to prevent a similar incident from occurring again, namely establishing an incident management team to instigate remedial actions. Such steps include changing the standard operating procedures so that any data uploads are undertaken by a senior member of the team.


Building a modern information governance strategy

How to rethink your approach to develop a more modern information governance strategy


The organisation also informed the Information Commissioner’s Office (ICO) on 2 September, in accordance with requirements under GDPR, as well as the Welsh government.

“Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” an ICO spokesperson said. “Public Health Wales has made us aware of an incident and we will be making enquiries.”

The head of information governance at the NHS Wales Informatics Service will also be conducting an investigation into the data breach to uncover the full circumstances as well as any potential lessons that can be learned.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.