Personal data of all Welsh coronavirus cases compromised in breach

Written by Sam Trendall on 15 September 2020 in News

Public Health Wales says leak that affected more than 18,000 people to have tested positive was attributable to ‘human error’

Credit: Katie Collins/EMPICS Entertainment

Personal information of every person in Wales to have tested positive for coronavirus up to the end of last month has been compromised in a data breach.

The incident occurred on 30 August when an employee of Public Health Wales was uploading data to the Tableau business-intelligence software platform used by the organisation.

“Unfortunately, at the last minute, the member of staff clicked to publish on the public-facing server rather than the internal restricted one,” Public Health Wales said.

The personal data of 18,105 people that have tested positive for coronavirus was thus published; this represents all confirmed cases of the disease in Wales from the first positive test on 27 February through to the date of the breach.

In 16,179 cases, the data leaked included the individual’s initials, sex, date of birth, and local authority area.

The remaining 1,926 people live in “closed settings”, such as a nursing home or supported-living facility – or share a postcode with such a setting. In these cases, the name of this setting was also published. 

Related content

“[Data published] did not contain the person’s NHS number and we do not believe it would be possible to access other health or financial records using this data alone,” Public Health Wales said. “However, we recognise that the disclosure of any confidential personal information is likely to cause concern and anxiety among those affected and we deeply regret that this has happened.”

Information was publicly visible from 2pm on 30 August until 9.50am the following day. It was viewed 56 times during that period, but it is not possible to identify who did so, according to the health authority.

Those affected by the breach are not being individually contacted as Public Health Wales has “concluded, after legal advice and consultation with the ICO, that writing to all those affected is not required in this case because the risk to them is considered low”.

It added: “There is no evidence that any of the personal information involved in the data breach has been misused and we do not believe it would be possible to access other health or financial records using this information alone. However, we are monitoring the situation.”

The breach took place on the Saturday and Sunday of the August bank holiday weekend and the Information Commissioner’s Office and the Welsh Government was notified of the incident on Wednesday 2 September.

The ICO is understood to be examining the breach and Public Health Wales has also commissioned an external review, to be led by the head of information governance at the NHS Wales Informatics Service.  

This review, which is due to report back in four weeks’ time, will “look into exactly how this happened and what lessons can be learned”. Its investigation will include an examination of why the data in question was not “anonymised or pseudonymised”.

“The data was designed to be identifiable only by those with other detailed information on recent cases, who already need to have access to named patient data through our health protection response, in order to provide public health advice,” Public Health Wales said. “This was an internal dashboard designed for these NHS professionals and was published publicly in error.”

While the review goes on, the health agency has already “taken immediate steps to prevent a similar incident from happening again”. 

This includes the creation of an incident-management team tasked with overseeing “remedial actions”.

“[This has] already resulted in changes to our standard operating procedures so that any data uploads are now undertaken by a senior member of the team,” Public Health Wales said. “We have also informed our health board and local authority partners and have kept them up to date with the position.”

Other measures implemented in light of the incident include separating processes for the use of internal and external dashboards, and instituting additional checks on servers.

Tracey Cooper, chief executive of Public Health Wales said: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.”

Anyone concerned about their data or that of a loved one having been compromised is advised to call 0300 003 0032 or email


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

The coronavirus ‘infodemic’: truth and conspiracy online
15 September 2020

The spread of online misinformation during the Covid-19 pandemic has exacerbated a public health crisis. PublicTechnology digs into a recent parliamentary inquiry to find out...

Policymakers must start asking difficult questions on the ethics of AI in healthcare
9 September 2020

Government needs to begin working with citizens and industry to address the risks created by the use of new technology, according to Jessica Morley and Luciano Floridi of the Oxford Internet...

Lifesaving data – how NHS Digital has worked with researchers to support coronavirus response
4 September 2020

Research director Tom Denwood explains how the national digital services agency has helped use information to better understand issues including effective treatments for Covid-19 and the...

Related Sponsored Articles

Digital inclusion is vital during the COVID-19 accelerated channel shift
22 September 2020

Accessibility requirements aren’t restrictions that need to be overcome - they’re guidelines to improve online experiences for everyone, says Jadu VP Richard Friend

Intelligent Spend Management in the Public Sector
24 September 2020

SAP Concur says it's time for the public sector to embrace more efficient invoice management technology

IT Resilience: The Key to a Successful Digital Transformation
22 September 2020

Steve Blow, tech evangelist at Zerto, explains why digital transformation efforts could be futile if local authorities don’t address and improve their IT resilience