But health body is praised for ‘openness and honesty’ in wake of incident
The personally identifiable data of more than 18,000 Welsh residents who tested positive for Covid-19 was publicly viewable online for 20 hours, Public Health Wales has admitted.
In a statement issued yesterday (September 14), the national public health agency for Wales said the data was mistakenly uploaded to a public server on the afternoon of 30 August, where it was searchable for anyone using the agency’s website.
By the time the agency discovered the breach and removed the data the following morning, “it had been viewed 56 times”, said Public Health Wales. The agency added that “there is no evidence at this stage that the data has been misused”.
Low identification risk
The health body said that “the risk of identification of the individuals affected by this data breach appears low”, based on legal advice it had received and the results of a risk assessment.
“In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area, and sex, meaning that the risk they could be identified is low,” it explained.
“However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.
“The risk of identification for these individuals therefore is higher, but is still considered low.”
The leaked data belonged to 18,105 Welsh residents in total.
Public Health Wales says it has notified the UK’s Information Commissioner’s Office and Welsh Government of the breach. An external investigation is being led by the Head of Information Governance at the NHS Wales Informatics Service.
The agency says it has changed standard operating procedures “so that any data uploads are now undertaken by a senior member of the team”.
Anyone concerned that their data, or that of a close family member, may have been breached have been advised to contact the agency.
Tracey Cooper, chief executive of Public Health Wales, said: “I would like to reassure the public that we have in place very clear processes and policies on data protection.”
Cooper added: “I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologize again for any anxiety this may cause people.”
Principle of least privilege
Richard Meeus, security, technology, and strategy director for Akamai Technologies, said such incidents are common and are best avoided by continuously educating employees about their data protection responsibilities under GDPR.
He also urged organizations to employ “the Principle of Least Privilege, which states [that] employees can only perform actions required to do their job, allowing for additional checks and verifications for processes that could have unwanted consequences”.
The Public Health Wales incident is the second pandemic-related, self-inflicted data breach by part of the Welsh NHS, after the NHS Wales Informatics Services admitted in April to sending 13,000 shielding letters to the wrong addresses.