Public Health Wales has today accepted in full the recommendations of an independent investigation into a data breach which resulted in the publication of the personally identifiable data of 18,105 Welsh residents who had tested positive for COVID-19 between February and August 2020.
Public Health Wales commissioned an independent investigation into the circumstances and causes of the data breach following its discovery in September. The investigation, which was carried out by Darren Lloyd, Head of Information Governance at the NHS Wales Informatics Service and John Sweeney, Information Sharing and Governance Manager, NHS Wales, was also asked to identify any recommendations aimed at reducing the likelihood and impact of a reoccurrence.
Tracey Cooper, Chief Executive of Public Health Wales said, “This has been a thorough investigation and we accept all of its recommendations. We take our obligations to protect people’s data extremely seriously and I am truly sorry that on this occasion we failed.
“Among the investigation’s findings, it was reported that, while the incident was the result of human error in the last step of the publishing process, the publishing process itself could have included additional safeguards. Following the data breach, we took immediate action to address this and the recommendations contained within this report also outline further areas that we can improve to prevent such an incident happening again.
“The report also stated that pressures of work may have been a factor. We acknowledge that, due to the unprecedented increase in demand for COVID-19 information, there has been significant pressure on the teams involved. Whilst we have mobilised additional resource for our teams, it has been challenging to ensure there is sufficient resource in place to keep up with the demand and pace required. We continue to work to ensure that our people with a greater responsibility to meet the demands of the pandemic are given the support and resources they need.
“We are aware that a number of opportunities to recognise the matter as an incident requiring immediate attention were missed. We acted as soon as we became aware to address this gap, and we will continue to ensure all staff fully understand their responsibilities in relation to reporting and escalating incidents, including data breaches.
“We are committed to implementing all of the recommendations outlined in the report. We have produced an action plan which contains the necessary actions to implement the recommendations, some of which form part of existing plans. This will supplement the steps we have already taken to strengthen our procedures.
"I would like to reassure the public that the actions we have taken have led to considerable improvements aimed at preventing an incident like this occurring again.”
The key findings and recommendations are available to read in full in the investigation report, published on our website. The action plan is also available to view on our website.
The data breach occurred on the afternoon of 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for COVID-19 was uploaded by mistake to a public server where it was searchable by anyone using the site. After being alerted to the breach we removed the data on the morning of 31 August. In the 20 hours it was online it had been viewed 56 times.
Following the data breach, we took immediate steps to prevent a similar incident from happening again. These included establishing an Incident Management Team to instigate remedial actions which have already resulted in changes to our standard operating procedures so that any data uploads are now undertaken by a senior member of the team.
There is no evidence at this stage that the data was misused. However, anyone concerned that their data or that of a close family member may have been breached and wanting advice should firstly read the FAQs at www.phw.nhs.wales then email us at PHW.firstname.lastname@example.org if they have any additional questions. People can also call Public Health Wales on 0300 003 0032 to discuss their concerns.
These FAQs relate only to the investigation report. FAQs relating to the data breach itself can also be found on our website here.
The investigation was carried out by the Head of Information Governance at the NHS Wales Informatics Service and NHS Wales’ Information Sharing and Governance Manager at the NHS Wales Informatics Service.
The investigation report is published in full on the Public Health Wales website.
Following the data breach, we took immediate steps to prevent a similar incident from happening again. These included establishing an Incident Management Team to instigate remedial actions which have already resulted in changes to our standard operating procedures including the introduction of additional checks to ensure senior oversight of uploads to the public facing dashboard. The action plan is available to view on our website.
We have accepted in full the recommendations outlined in the investigation report and have produced an action plan which contains the necessary actions to implement the recommendations. Work to implement these actions is underway.
The independent investigation looked into exactly how this happened and what lessons can be learned. We took immediate actions following the incident to reduce the risk of recurrence and have developed an action plan which addresses the recommendations outlined in the investigation report. Work to implement these actions is underway.