Breach exposes data of every Covid-19 positive Welsh patient
Written by James Orme Wed 16 Sep 2020

Misconfigured server left 18,105 patients’ data exposed
Wales’ national public health agency has apologised after accidentally uploading the data of every citizen who tested positive for Covid-19 to a public-facing server.
Public Health Wales (PHW) confirmed the personal data of 18,105 Welsh residents was uploaded by mistake to the insecure server and searchable by anyone using the site.
PHW said the incident was the result of human error and occurred on the afternoon of 30 August before being resolved the following morning.
In a written statement, the health body reassured the public that the ‘risk of identification was low’, but also disclosed that the database was viewed 56 times during the 20 hours it was online.
“There is no evidence at this stage that the data has been misused,” read the statement.
“However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information,” it added.
Although first names weren’t exposed in the breach the data did include patient initials, date of birth, geographical area, and sex. PHW said the risk of identification was higher for the 1926 people living in nursing homes or inclosed settings that were affected, as the database included the name of those settings.
The health body said they have informed the ICO and Welsh Government and have launched an investigation into the circumstances surrounding the breach.
An Incident Response Management Team has begun instigating ‘remedial actions’ to modify the body’s standard operating procedures, including the requirement that data uploads are now undertaken by senior team members.
Tracey Cooper, Chief Executive of Public Health Wales said, “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection.”
“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”
Written by James Orme Wed 16 Sep 2020