Public Health Wales has acknowledged a large scale, self-inflicted incident in which the personal data of over 18,000 people who tested positive for Covid-19 was briefly made public.
It has released a statement, saying that on 30 August a member of its staff mistakenly uploaded the data onto its publicly available Covid-19 dashboard through the Tableau business intelligence software.
The person followed standard operating procedures but made an error in uploading the data onto a public facing rather than private server.
In the majority of cases the information consisted of initials, date of birth, local authority area and gender, but for just under 2,000 people living in nursing homes and supported housing it also included the name of the place.
It did not include NHS numbers and Public Health Wales said it does not believe it would be possible to access any other health or financial records using the data that became public.
The mistake was spotted and the data taken down after 20 hours in which it was viewed 56 times.
The organisation has informed the Information Commissioner’s Office and the Welsh Government, and commissioned an external investigation by the head of information governance at the NHS Wales Informatics Service which it expects to be complete in four weeks.
It has also taken steps aimed at preventing a recurrence of the incident, including setting up an incident management team to instigate remedial actions.
“There is no evidence at this stage that the data has been misused,” said the statement from Public Health Wales. “However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information.”
Image from Top 10 website, CC BY 2.0