Wales says personal data of 18,000 COVID patients accidentally published

LONDON (Reuters) – Personal data concerning 18,105 residents of Wales who tested positive for COVID-19 was uploaded by mistake to a public server and spent 20 hours online in August, Public Health Wales said on Monday.

The data breach was a result of individual human error, the public health body said, adding that it had commissioned an external investigation into the data breach and taken steps to prevent any similar incident.

“There is no evidence at this stage that the data has been misused,” Public Health Wales said in a statement.

“However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information,” it said.

The data was uploaded on the afternoon of Aug. 30 and was searchable by anyone using the Public Health Wales site until it was removed on the morning of Aug. 31. During the time it was online it was viewed 56 times, by unknown users.

Public Health Wales said that in the majority of cases, 16,179 people, the information consisted of initials, dates of birth, geographical area and sex, meaning that the risk of identification was low.

For 1,926 people living in nursing homes and supported housing, the information also included the names of the homes, which made the risk of identification higher, but still low.

The data was for every resident of Wales who had tested positive for COVID-19 between Feb. 27 and Aug. 30. It was uploaded to the Public Health Wales COVID-19 dashboard, on a page containing health protection information.

(Reporting by Estelle Shirbon. Editing by Andrew MacAskill)