THERE has been a data breach involving the personally identifiable data of Welsh residents who have tested positive for COVID-19 - including more than 2,100 in Flintshire and Wrexham.

The number of people in North Wales affected is 468 in Anglesey, 739 in Conwy, 825 in Denbighshire, 781 in Flintshire, 626 in Gwynedd, 1410 in Wrexham.

Public Health Wales said risk assessment has been conducted and legal advice has been sought, both of which advise that the risk of identification of the individuals affected by this data breach appears low. 

In Wales as a whole, 18,105 people have been affected.

The data was for every Welsh resident who had tested positive for Covid-19 between February 27 and August 30.

Public Health Wales removed the data on the morning of August 31 after being alerted to the breach. In the 20 hours it was online, it had been viewed 56 times.

A spokesman said there was “no evidence at this stage” that the data had been misused.

Public Health Wales said that in 16,179 of the cases, the information published included people’s initials, date of birth, geographical area and sex.

However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who shared the same postcodes as those settings, the information also included the name of the setting.

Public Health Wales said: "The incident, which was the result of individual human error, occurred on the afternoon of 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for COVID-19 was uploaded by mistake to a public server where it was searchable by anyone using the site. After being alerted to the breach we removed the data on the morning of 31 August. In the 20 hours it was online it had been viewed 56 times. 

"In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area and sex meaning that the risk they could be identified is low. However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting. The risk of identification for these individuals therefore is higher but is still considered low. 

"There is no evidence at this stage that the data has been misused. However, we recognise the concern and anxiety this will cause and deeply regret that on this occasion we have failed to protect Welsh residents’ confidential information. Anyone concerned that their data or that of a close family member may have been breached and wanting advice should firstly read the FAQs at www.phw.nhs.wales then email us at PHW.data@wales.nhs.uk if they have any additional questions. People can also call Public Health Wales on 0300 003 0032 to discuss their concerns.   

"The Information Commissioner's Office and Welsh Government have been informed and we have commissioned an external investigation into the full circumstances surrounding the data breach and any lessons to be learned. The investigation is being led by the Head of Information Governance at the NHS Wales Informatics Service.  

"In the meantime, we have taken immediate steps to prevent a similar incident from happening again. These include establishing an Incident Management Team to instigate remedial actions which have already resulted in changes to our standard operating procedures so that any data uploads are now undertaken by a senior member of the team. We have also informed our health board and local authority partners and have kept them up to date with the position."

Tracey Cooper, Chief Executive of Public Health Wales, added: “We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed. I would like to reassure the public that we have in place very clear processes and policies on data protection. 

"We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure our public that we have taken immediate steps to strengthen our procedures and sincerely apologise again for any anxiety this may cause people.” 

The Welsh Government said it was not commenting on the data breach.

Andrew RT Davies MS, shadow health minister for the Welsh Conservatives, questioned why Health Minister Vaughan Gething had not spoken about the breach during a press conference on Monday.

“I acknowledge that the risk is considered to be ‘low’, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence,” Mr Davies said.

“The Health Minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that’s unacceptable.

“When people across Wales are being asked to provide our personal data for the purposes of track and trace this revelation could well damage public confidence.”

Rhun ap Iorwerth MS, shadow health minister for Plaid Cymru, said the breach must not happen again.

“Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern,” he said.

“Public Health Wales and Welsh Government have to be able to explain how exactly this happened, and give assurances that this can’t happen again.

“People need to know that information held about them and their health is in safe hands, and this will raise questions in the minds of many people.”

A spokeswoman for the ICO said it would be “making inquiries” into the breach.

“Trust and confidence in the way NHS Wales Test, Trace and Protect Service uses and safeguards personal data is essential to public participation, so the programme is successful in helping tackle the coronavirus pandemic,” she said.

“Public Health Wales has made us aware of an incident and we will be making enquiries.”