Skip to content ↓ | Skip to navigation ↓

A National Health Service (NHS) Trust revealed that it had mistakenly uploaded the personal information of over 18,000 people who had previously tested positive for coronavirus 2019 (COVID-19).

On September 14, Public Health Wales announced in a web statement that the data breach had occurred back on the afternoon of August 30, 2020.

This notice explained that the personal information of 18,105 Welsh residents who had tested positive for COVID-19 had ended up on a public server as the result of human error.

The incident exposed only the initials, date of birth, geographical area and sex of 16,179 individuals, the statement explained.

For the remaining 1,926 victims, the security event might have breached the fact that they lived in or shared a zip code with a nursing home or similar supported setting.

The exposed information remained on the public server for approximately 20 hours until Public Health Wales removed it on the morning of August 31. At that time, the data had been viewed 56 times.

As part of its investigation, the NHS Trust noted that it had found no evidence of malicious actors having misused the COVID-19 patients’ compromised data.

Public Health Wales explained that it still went ahead and informed the Information Commissioner’s Office and Welsh Government as well as commissioned the Head of Information Governance at the NHS Wales Informatics Service to conduct an investigation.

It also said that it had taken steps to prevent a similar event from happening again by creating an incident response team, changing its standard operating procedures and keeping its local partners informed.

Tracey Cooper, chief executive of Public Health Wales, issued an apology for the security incident. As quoted on the NHS Trust’s website:

We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.

Individuals looking to learn more about the security event should contact Public Health Wales by emailing PHW.data@wales.nhs.uk or calling 0300 003 0032.