Data on 18,105 coronavirus patients leaks after staffer clicks wrong button

Public Health Wales says the private health data was published by mistake and visible for 20 hours.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

A staffer for Public Health Wales accidentally leaked data on more than 18,000 COVID-19 patients by clicking the wrong button.

Getty Images

Your health data is supposed to be confidential, with protections to ensure it doesn't fall into the wrong hands, but a mistake as simple as clicking the wrong button can cause sensitive information on thousands of people to leak to the public. 

On Monday, Public Health Wales disclosed that it accidentally leaked the personal data of 18,105 Welsh residents who tested positive for COVID-19, and that data was visible for 20 hours on a public server on Aug. 30 and viewed up to 56 times, the agency said

The data belonged to every resident of Wales who tested positive for COVID-19 between Feb. 27 and Aug. 30. It included people's initials, date of birth, gender and general location, but not specific information on who they are. Still, for a subset of 1,926 people who live in supported housing or nursing homes, the data included the names of those locations.

The data is supposed to be posted to Public Health Wales' internal private Tableau dashboard, but instead ended up on the public- facing page after a staffer accidentally clicked the wrong button. 

"We take our obligations to protect people's data extremely seriously and I am sorry that on this occasion we failed," Tracey Cooper, Public Health Wales' chief executive, said in a statement. "I would like to reassure the public that we have in place very clear processes and policies on data protection."

Public Health Wales said it's since separated its internal and public dashboard processes to make sure the mistake can't happen again, and added more checks to ensure that people are uploading data to the proper servers.

The agency added that the National Health Service is carrying out an independent investigation and looking into why the patients' data was not anonymized.

Public Health Wales considers the leaked data low-risk, since it was up for a limited time and the information was limited, and said it won't be contacting the people affected by the breach. 

The breach in Wales is not the first that spilled information on people dealing with the novel coronavirus . COVID-19 patients in South Dakota suffering a data leak in June. In South Korea, where health officials use personal data to track the spread of the disease, also has raised privacy concerns

In September, Los Angeles County announced a partnership with Citizen for contact tracing, but the app shows precise location data for possible exposures to COVID-19, which would allow people to figure out who has the disease. 

Privacy advocates are warning that protecting the data associated with COVID-19 patients is essential. If people don't trust that their privacy is being protected, they're less likely to take tests and volunteer to be tracked. 

US lawmakers are proposing privacy protections for COVID-19 data, to make sure that the information is only used for public health purposes and can't be used for government surveillance or company profits.

Watch this: Russian hackers look to steal coronavirus vaccine info, TikTok tries damage control
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.