Public Health Wales has today apologised after the personal data of thousands of people who had tested positive for coronavirus was mistakenly uploaded to a publicly searchable site.

Public Health Wales says it accepts in full the recommendations of an independent investigation into a data breach that resulted in the publication of the personally identifiable data of 18,105 Welsh residents who had tested positive for Covid-19 between February and August 2020.

PHW commissioned an independent investigation into the circumstances and causes of the data breach following its discovery in September.

Tracey Cooper, Chief Executive of Public Health Wales said, “This has been a thorough investigation and we accept all of its recommendations. We take our obligations to protect people’s data extremely seriously and I am truly sorry that on this occasion we failed.

“Among the investigation’s findings, it was reported that, while the incident was the result of human error in the last step of the publishing process, the publishing process itself could have included additional safeguards. Following the data breach, we took immediate action to address this and the recommendations contained within this report also outline further areas that we can improve to prevent such an incident happening again.

“The report also stated that pressures of work may have been a factor. We acknowledge that, due to the unprecedented increase in demand for Covid-19 information, there has been significant pressure on the teams involved. Whilst we have mobilised additional resource for our teams, it has been challenging to ensure there is sufficient resource in place to keep up with the demand and pace required. We continue to work to ensure that our people with a greater responsibility to meet the demands of the pandemic are given the support and resources they need.

“We are aware that a number of opportunities to recognise the matter as an incident requiring immediate attention were missed. We acted as soon as we became aware to address this gap, and we will continue to ensure all staff fully understand their responsibilities in relation to reporting and escalating incidents, including data breaches.

“We are committed to implementing all of the recommendations outlined in the report. We have produced an action plan which contains the necessary actions to implement the recommendations, some of which form part of existing plans. This will supplement the steps we have already taken to strengthen our procedures.

"I would like to reassure the public that the actions we have taken have led to considerable improvements aimed at preventing an incident like this occurring again.”

The key findings and recommendations are available to read in full in the investigation report, published on the PHW website.

The data breach occurred on the afternoon of 3August 30, when the personal data of 18,105 Welsh residents who have tested positive for Covid-19 was uploaded by mistake to a public server where it was searchable by anyone using the site. After being alerted to the breach we removed the data on the morning of August 31. In the 20 hours it was online it had been viewed 56 times.

There is no evidence at this stage that the data was misused. However, anyone concerned that their data or that of a close family member may have been breached and wanting advice should firstly read the FAQs at www.phw.nhs.wales then email PHW.data@wales.nhs.uk if they have any additional questions. People can also call Public Health Wales on 0300 003 0032 .