The personal details of over 18,000 patients who tested positive for Coronavirus have been exposed in a data breach in Wales. The breach happened when a staff at the Public Health of Wales was uploading data to the Tableau software used by the health authority. Rather than posting on an internal server, the information was accidentally posted on a public-facing server.
The data was publicly available from 2 pm on 30 August until 9.50 am the following morning. During that period, unknown users accessed the database 56 times. The exposed patient information included initials, date of birth and sex. For 2,000 patients who live in close settings such as nursing homes or supported living faculty, the names of their residence were also publicly available.
Based on a risk assessment and legal advice, officials at Public Health of Wales concluded that the risk of identification of individuals affected by the data breach was low.
An impending investigation
Mario Kreft MBE, the chair of Care Forum Wales in a recent interview expressed concerns on how the data breach was handled,
This was a dreadful mistake by an individual but the decision to keep this important information quiet was clearly taken at a high level within Public Health Wales. This is about the checks and the balances within the organisation and about how it is managed.
The ICO will investigate the data breach. In addition, the health authority has commissioned an external review led by the Head of Information Governance in the NHS Wales Informatics Services.
The review will look into:
- How the breach happened
- What lessons can be learned
- Why the data was not anonymised or pseudonymised
Tracey Cooper, Chief Executive of Public Health Wales said:
We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed.
I would like to reassure the public that we have in place very clear processes and policies on data protection. We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.
Since the incident, the Public Health of Wales has taken corrective steps including:
- Separating the process for the use of internal and external dashboards
- Adding checks on servers
- Ensuring data uploads are done by senior members of the team
90% of Breaches Are Caused by Human Error
According to an analysis of the ICO’s data by CybSafe, 90% of cyber data breaches in 2019 were caused by human error. The most important takeaway from this incident is to ensure your employees are educated on their responsibilities when handling personal data. In addition, make sure there are additional checks and verification processes when handling sensitive personal data.
Coronavirus has also thrown challenges for people when dealing with health information and personal data. According to a Verizon report, human error accounts for one-third of health care data breaches. Email and mailing errors have particularly been a huge cause for data breaches. This is not the first data breach to affect health authority in Wales. In April, NHS Wales Informatics Services reported a data breach to the ICO when 13,000 letters were sent to the wrong address. Another example is that of the city of Los Angeles office. Covid-19 test results were accidentally emailed to more than 200 people without blind copying them. As a result, people were able to see other patient’s email addresses.
These errors are avoidable through training and constant awareness. For support on training your employees, get in touch with us to learn more about our award-winning training service. We offer bespoke training that focuses on actionable measures relevant to your staff’s roles and responsibilities.
Jamal and the Kazient team made the training both engaging and simple for the whole organisation to participate. Would highly recommend to anyone who has gaps in this area.Kashif Shabir, Interim CEO Muslim Aid
If you are concerned your data has been compromised through the Public Health Wales breach, email [email protected]
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.