Personal details of coronavirus patients uploaded to web by mistake
by Dominic RobertsonPersonal details of nearly 400 Mid Wales residents who tested positive for coronavirus have mistakenly been made public.
/cloudfront-us-east-1.images.arcpublishing.com/shropshirestar.mna/ITMSOKZ5OVBOFO2JTNMPPYMMPE.jpg "https://www.shropshirestar.com/resizer/qTfMNsWVxZFyu_isv0A0rBjQ-QY=/1000x0/filters:quality(100)/cloudfront-us-east-1.images.arcpublishing.com/shropshirestar.mna/ITMSOKZ5OVBOFO2JTNMPPYMMPE.jpg")
Public Health Wales has confirmed that the details of the patients were accidentally uploaded to a public server, where anyone could view the list.
In total 382 Powys people were on the list, which included a total of 18,105 Welsh residents.
Public Health Wales said that the data was online for 20 hours before being removed, and was viewed 56 times.
For 16,179 people the information included their initials, date of birth, geographical area and sex. For another 1,926 people living in nursing homes or other enclosed settings such as supported housing – or residents who share the same postcode as the settings – the information also included the name of the setting.
More Covid-19 coverage:
- See the latest coronavirus stories from Shropshire, Mid Wales and beyond
- Coronavirus: Latest number of deaths and confirmed cases in Shropshire, Telford and Mid Wales
- Star Neighbours - how you can give and get help locally
A statement from Public Health Wales said: "A risk assessment has been conducted and legal advice has been sought, both of which advise that the risk of identification of the individuals affected by this data breach appears low.
"The incident, which was the result of individual human error, occurred on the afternoon of 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for Covid-19 was uploaded by mistake to a public server where it was searchable by anyone using the site. After being alerted to the breach we removed the data on the morning of 31 August. In the 20 hours it was online it had been viewed 56 times."
The statement added: "There is no evidence at this stage that the data has been misused. However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information."
The Information Commissioner's Office and Welsh Government have been informed of the incident and Public Health Wales said it has commissioned an external investigation.
Tracey Cooper, chief executive of Public Health Wales said, “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”
Anyone concerned that their data or that of a close family member may have been breached can find information at www.phw.nhs.wales or can email PHW.data@wales.nhs.uk.
People can also call Public Health Wales on 0300 003 0032.