Print Article

Coronavirus: 18,000 test results published by mistake


The details of more than 18,000 people who tested positive for coronavirus were published online by mistake by Public Health Wales.

The health body said the data of 18,105 Welsh residents was viewable online for 20 hours on 30 August.

Most cases gave initials, date of birth, geographical area and sex, meaning the risk of identification was low, Public Health Wales (PHW) said.

However 1,928 people in living in communal settings were more at risk.

Nursing home residents or those living in supported housing also had the name of their place of residence published, meaning the risk, while still considered low, was higher.

The incident was the result of "individual human error" when the information was uploaded to a public server searchable by anyone using the site.

PHW said the information had been viewed 56 times before it was removed but there was no evidence so far that the data had been misused.

What is Public Health Wales doing about the data breach?

Chief executive Tracey Cooper told BBC Wales the failure was one of the "biggest data breaches" she had come across and said it "should never have happened".

Dr Cooper also said Public Health Wales could have acted more quickly in removing the information.

The person who was alerted to the breach on the evening of 30 August after the information was posted at 14:00 that day did not follow the body's serious incident reporting procedures.

The data was not removed until 09:55 the next morning.

Finding out why is part of the terms of reference of an external investigation which will be carried out by NHS Wales Informatics Service. "I think we should have taken it down quicker," she said.

The team that "takes data protection responsibilities extremely seriously" was "devastated that this has happened", Ms Cooper said.

"I can't apologise enough because on this occasion we failed."

Dr Cooper said she was not considering resigning, saying: "I'm the person who is accountable and as chief executive that's where the buck stops.

"I want to get to the bottom of it so I'm not at this stage [considering my position]."

PHW said it had already taken steps, including making sure any data uploads were now undertaken by a senior team member.

What has the reaction been?

Welsh Conservative spokesman on health, Andrew RT Davies MS, said: "I acknowledge that the risk is considered to be 'low', but I'm not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose - albeit limited - information was posted along with their place of residence.

"The health minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing - and that's unacceptable."

His Plaid Cymru counterpart, Rhun ap Iorwerth MS, said: "Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern.

"Public Health Wales and the Welsh Government have to be able to explain how exactly this happened, and give assurances that this can't happen again."

Second data breach

The Information Commissioner's Office (ICO) and the Welsh Government have been informed. The ICO said it would be making inquires following the alert.

This is the second time a part of the Welsh NHS has had to refer itself to the ICO over a data breach during the pandemic.

In April, NHS Wales Informatics Services - the health service's IT arm - contacted the watchdog after 13,000 shielding letters were sent to the wrong addresses.

Anyone concerned that their data or that of a close family member could have been published can get advice from Public Health Wales.

The Welsh Government said it was a matter for Public Health Wales.


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email