On 14 September 2020, Public Health Wales (PHW) admitted to a significant data breach. In a statement, PHW said the violation involved the personally identifiable data of Welsh residents who had tested positive for COVID-19.
The breach, which was the result of human error after data was uploaded to a searchable public server, exposed the following information:
- For 16,179 people, the data consisted of their initials, date of birth, geographical area and sex
- For 1,926 people living in enclosed settings (e.g. nursing homes and supported housing), or residents who share the same postcode as these settings, the information also included the name of the setting.
The data was uploaded on the afternoon of 30 August and removed the following morning. During this period, the information was viewed 56 times.
Are you involved in the PHW data breach?
The breached data was for every Welsh resident who tested positive for COVID-19 between 27 February and 30 August. If you are concerned about the risk to you or a close family member, you can email Public Health Wales at PHW.email@example.com or call 0300 003 0032.
How high is the risk?
According to PHW, the risk of identification is considered low. However, today’s cybercriminals are more sophisticated than ever, and they often use tools capable of finding and correlating information about people to build more detailed profiles. The data can then be used in targeted phishing scams and other attacks.
On its website, PHW states that it recognises “that the disclosure of any confidential personal information is likely to cause concern and anxiety among those affected”. In particular, for the nearly 2,000 residents living in enclosed settings, some of whom are already vulnerable, this breach is likely to cause significant distress and upset.
An admission of liability for the PHW data breach
Admitting liability, Tracey Cooper, Chief Executive of Public Health Wales told the BBC that the failure was one of the “biggest data breaches” she had come across and said it “should never have happened”. She added, “I can’t apologise enough because on this occasion we failed.”
To make matters worse, once alerted to the data breach, PHW did not follow the body’s serious incident reporting procedures. As a result, the data was not taken down until the next morning. Dr Cooper has admitted that PHW could have acted more quickly in removing the information.
What happens now?
The Information Commissioner’s Office (ICO) will be making inquiries into the data breach. The ICO is the UK’s data protection regulator. It exists to protect your information rights and data privacy. The ICO can also impose substantial fines on organisations in breach of their duties, although it does not award compensation to victims.
There has also been a degree of political fallout since the breach. This comes after the Welsh First Minister Mark Drakeford said he found out about the PHW data breach 11 days after Health Minister Vaughan Gething. There are certainly questions to be asked over why it took two weeks before the public was informed.
Can you make a data breach claim against PHW following the coronavirus data breach?
If you are a Welsh resident who tested positive for COVID-19 between 27 February and 30 August, you can make a data breach claim against PHW. And our expert data breach lawyers believe that you have a good chance of success, not least because PHW has admitted liability for this breach.
What’s more, this is the second time a part of the Welsh NHS has been involved in a data breach during the pandemic. In April, NHS Wales Informatics Services sent 13,000 shielding letters to the wrong addresses, so there is a pattern of data protection failures. Something must be done to hold organisations to account and force better security measures.
Crucially, the law recognises that a data breach can have a significant impact on you, both mentally and physically. It can cause or exacerbate anxiety, stress and other psychological conditions. So you can claim compensation for distress, even if cybercriminals never use your data.
Is there a need for greater security during the coronavirus pandemic?
Leading data privacy expert, and our Head of Data Breach, Kingsley Hayes has been leading calls for organisations to address the issue of information security during the pandemic.
Commenting on the PHW data breach, he said:
Data is playing a crucial role in reducing the spread of COVID-19, but the need for robust security measures to protect personally identifiable information should not be overlooked. At this time of crisis, organisations – especially those that deal with sensitive medical data – must ensure that patients are protected. This is particularly important as the UK quickly adopts new technology such as apps to help keep us safe. Being mindful of potential data protection risks and implementing appropriate security measures must remain a priority.
Of course, our healthcare sector does a fantastic job, often under very challenging circumstances. But all too often data privacy is being treated as an after-thought. As in this case, the vast majority of data breaches are caused by human error, but we should not downplay the potential impact of this violation. Not least because those affected are no doubt already experiencing distress due to a positive COVID-19 diagnosis. The additional worry about having their privacy violated at this difficult time could prove devastating.”
Make a claim against Public Heath Wales
If you want to make a data breach claim against PHW following this privacy breach, we can help. Contact us for a free assessment of your case. We’ll talk you through your options and explain everything in plain English.