A social care leader says the “disastrous” data breach which led to the details of more than 18,000 people who tested positive for coronavirus being published online has highlighted the need for major reforms.
Mario Kreft MBE, the chair of Care Forum Wales, is also concerned that it took Public Health Wales a fortnight to admit the mistake which meant that the data could be viewed online for 20 hours on August 30.
The fact that it took so long, said Mr Kreft, was hugely damaging in terms of public trust and confidence in the organisation which had “not had a great pandemic”.
Mr Kreft believes that, had something similar happened in the private sector, the authorities would have come down on it like “a ton of bricks”.
Most cases involved in the data breach gave initials, date of birth, geographical area and sex, meaning the risk of identification was low, said Public Health Wales.
There was more risk of the nearly 2,000 people living in care homes or supported housing being identified because the data included the name of their place of residence being published.
The incident was the result of “individual human error” when the information was uploaded to a public server searchable by anyone using the site.
The information had been viewed 56 times before it was removed but there was no evidence so far that the data had been misused.
Mr Kreft said: “One of the key questions is why has it taken so long for Public Health Wales to admit this disastrous data breach with highly personal information being published on a website for the whole world to see?
“For whatever reason, Public Health Wales have kept this under wraps for a fortnight when they should surely have been up front about it and let people know as soon as possible.
“Something as important as this should have been brought to the attention of the people of Wales and the Welsh Government immediately. The delay was totally unacceptable.
“To publish information about individuals’ personal medical history and the names of the care homes where they live raises very serious concerns about the organisation.
“If something of a fraction of the magnitude of this had happened in the private sector, the regulator would have come down on the company concerned like a ton of bricks. There would have been a price to be paid and somebody would have been held to account.
“This was a dreadful mistake by an individual but the decision to keep this important information quiet was clearly taken at a high level within Public Health Wales. This is about the checks and the balances within the organisation and about how it is managed.
“The fact that this breach was allowed to happen in the first place and the ensuing lack of openness and transparency is incredibly damaging in term of the public’s trust and confidence.
“Neither does it inspire the trust of the independent sector working in social care.
“Let’s face it, the track record of Public Health Wales has not been great during this coronavirus crisis.
“They have not had a great pandemic and this must come as a crushing blow to many of the hard-working people in the organisation.
“This disastrous data breach has highlighted the need for far-reaching reforms of the whole of the system, not just Public Health Wales.
“If they review and reflect in an open and transparent way about what has taken place and also consult with the social care sector as part of the process, we will be able to put changes in place to make us more resilient in future.
“Luckily, many of our members had the good sense and strength of character to resist their calls in the early days of the coronavirus crisis to allow hospital patients to be discharged into care homes without testing.
“Their refusal as part of our campaign to shield social care undoubtedly saved countless lives which would otherwise have been lost if everybody had followed the guidance of Public Health Wales.
“I can only imagine that they are just reeling from one body blow after another.
“There are still major problems in terms of testing, both with the overall capacity and how it’s all being managed.
“The most important thing to people running care homes is capacity – capacity to get tests done, and capacity to turn the results around quickly.
“Everyone on the ground is trying their best, but the system can be a nightmare even as it’s currently organised.”
‘Risk is low’
In a statement, the agency said: “Public Health Wales regrets to announce that there has been a data breach involving the personally identifiable data of Welsh residents who have tested positive for Covid-19.
“A risk assessment has been conducted and legal advice has been sought, both of which advise that the risk of identification of the individuals affected by this data breach appears low.
“The incident, which was the result of individual human error, occurred on the afternoon of 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for Covid-19 was uploaded by mistake to a public server where it was searchable by anyone using the site.
“After being alerted to the breach we removed the data on the morning of 31 August.
“In the 20 hours it was online it had been viewed 56 times.”
They added: “In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area and sex meaning that the risk they could be identified is low.
“However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.”