Hundreds have personal details published in coronavirus data breach

The breach saw 382 people in Powys affected having after testing positive for coronavirus. The incident saw their data accidentally uploaded onto a public server.

Public Health Wales said risk assessment has been conducted and legal advice has been sought, both of which advise that the risk of identification of the individuals affected by this data breach appears low. 

In Wales as a whole, 18,105 people have been affected.

Public Health Wales said: "The incident, which was the result of individual human error, occurred on the afternoon of August 30, 2020 when the personal data of 18,105 Welsh residents who have tested positive for Covid-19 was uploaded by mistake to a public server where it was searchable by anyone using the site.

"After being alerted to the breach we removed the data on the morning of 31 August. In the 20 hours it was online it had been viewed 56 times. 

"In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area and sex meaning that the risk they could be identified is low.

"However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.

"The risk of identification for these individuals therefore is higher but is still considered low. 

"There is no evidence at this stage that the data has been misused. However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information."

CORONAVIRUS IN HEREFORDSHIRE:

• Wetherspoon: More coronavirus cases at Herefordshire farm than pubs
• Surgeries still closed to patients after staff catch coronavirus
• This is where coronavirus cases were found in Herefordshire last week

The spokesperson for Public Health Wales said anyone concerned should read the FAQs at www.phw.nhs.wales and then email PHW.data@wales.nhs.uk. 

"The Information Commissioner's Office and Welsh Government have been informed and we have commissioned an external investigation into the full circumstances surrounding the data breach and any lessons to be learned," they added.

"The investigation is being led by the Head of Information Governance at the NHS Wales Informatics Service.  

"In the meantime, we have taken immediate steps to prevent a similar incident from happening again.

"These include establishing an Incident Management Team to instigate remedial actions which have already resulted in changes to our standard operating procedures so that any data uploads are now undertaken by a senior member of the team.

"We have also informed our health board and local authority partners and have kept them up to date with the position."

ALSO READ:

• Looking back at Hereford's iconic Crystal Rooms
• Man rescued from river Wye near Hereford
• Million pound guesthouse for sale in Herefordshire village

Tracey Cooper, chief executive of Public Health Wales, said lessons need to be learned from the human error.

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed," she said.

"I would like to reassure the public that we have in place very clear processes and policies on data protection. 

"We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned.

"I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”