Personal details of thousands of Covid-positive patients in Wales uploaded to public server by mistake

Thousands of people who had tested positive for Covid-19 had their personal details temporarily uploaded to a public server by mistake Credit: PA

Personal details of thousands of Covid-positive patients in Wales were temporarily uploaded to a public server by mistake, it has been revealed.

Public Health Wales has admitted a data breach occurred on the afternoon of August 30th as a result of "individual human error", and included information about 18,105 people, including their initials, date of birth, sex and geographical area.

The cases covered by the breached information are from February 27th to August 30th. Wales reported its first case of Covid-19 on February 28th.

Of the patients whose information was published, for 1,926 living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.

The details were searchable by anyone using the daily data dashboard on the Public Health Wales website for the 20 hours that it was live.

Public Health Wales says that during this time, the data was viewed 56 times and that after seeking legal advice and carrying out a risk assessment, the risk of patients being identified "appears low".

Tracey Cooper, Chief Executive of Public Health Wales said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection.

"We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.” 

Public Health Wales has referred itself to the Information Commissioner and has also informed the Welsh Government, health boards and local authorities.

Public Health Wales says there is no evidence at this stage that the information has been misused but that it recognises people may be concerned, adding: "Anyone concerned that their data or that of a close family member may have been breached and wanting advice should firstly read the FAQs at www.phw.nhs.wales then email us at PHW.data@wales.nhs.uk if they have any additional questions.

"People can also call Public Health Wales on 0300 003 0032 to discuss their concerns."

Shadow Health Minister Andrew RT Davies described the data breach as "unacceptable" and said it could "damage public confidence".

“I acknowledge that the risk is considered to be ‘low’, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence", said Mr Davies.

 “The Health Minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that's unacceptable.

 “When people across Wales are being asked to provide our personal data for the purposes of track and trace this revelation could well damage public confidence.”