Massive Public Health Wales coronavirus data breach result of “human error in the last step of the publishing process”

The chief executive of Public Health Wales (PHW) has today issued an apology after a data breach by the organisation saw the personal data of over 18,000 Welsh residents who had tested positive for COVID-19 uploaded online – nearly all of the people who had been tested at that point.

At the time details of 1,410 people from Wrexham who tested positive for coronavirus were stated as being affected by the breach, with only 1,463 people testing positive in Wrexham overall at that point.

An independent investigation into the incident has found that the breach was the result of “human error in the last step of the publishing process.”

The investigation, which was carried out by Darren Lloyd, Head of Information Governance at the NHS Wales Informatics Service and John Sweeney, Information Sharing and Governance Manager, NHS Wales, was also asked to identify any recommendations aimed at reducing the likelihood and impact of a reoccurrence.

The data breach saw the results of 18,105 Welsh residents who had tested positive for COVID-19 between February and August 2020, the vast majority of the entire number tested, were published on public server where the information was searchable by anyone using the site.

The data was online for 20 hours before being removed on the morning of August 31. The personally identifiable information had been viewed 56 times.

Public Health Wales was made notified of the breach by one member of the public and one employee of a Welsh Local Authority.

Tracey Cooper, chief executive of Public Health Wales today said the the organisation fully accepts the recommendations of the investigation.

She said: “This has been a thorough investigation and we accept all of its recommendations. We take our obligations to protect people’s data extremely seriously and I am truly sorry that on this occasion we failed.

“Among the investigation’s findings, it was reported that, while the incident was the result of human error in the last step of the publishing process, the publishing process itself could have included additional safeguards.

“Following the data breach, we took immediate action to address this and the recommendations contained within this report also outline further areas that we can improve to prevent such an incident happening again.

“The report also stated that pressures of work may have been a factor. We acknowledge that, due to the unprecedented increase in demand for COVID-19 information, there has been significant pressure on the teams involved.

“Whilst we have mobilised additional resource for our teams, it has been challenging to ensure there is sufficient resource in place to keep up with the demand and pace required. We continue to work to ensure that our people with a greater responsibility to meet the demands of the pandemic are given the support and resources they need.

“We are aware that a number of opportunities to recognise the matter as an incident requiring immediate attention were missed. We acted as soon as we became aware to address this gap, and we will continue to ensure all staff fully understand their responsibilities in relation to reporting and escalating incidents, including data breaches.

“We are committed to implementing all of the recommendations outlined in the report. We have produced an action plan which contains the necessary actions to implement the recommendations, some of which form part of existing plans. This will supplement the steps we have already taken to strengthen our procedures.

“I would like to reassure the public that the actions we have taken have led to considerable improvements aimed at preventing an incident like this occurring again.”