Public Health Wales said that on Aug. 30, “personally identifiable data” for 18,105 Welsh residents were “uploaded by mistake to a public server where it was searchable by anyone using the site.”
The information was available for 20 hours and was viewed 56 times.
Health officials said there was no evidence that the data was misused and described the risk of identification as low. For the vast majority of cases (16,179), the data included peoples’ “initials, date of birth, geographical area and sex.”
However, matters were worse for nearly 2,000 people living in nursing homes, as the data named the setting.
“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed,” said Dr. Tracey Cooper, the agency’s chief executive. “We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned.”
Health officials said the Information Commissioner's Office (ICO) and the Welsh Government were informed, and the NHS Wales Informatics Service is leading an external investigation on the breach.
Cooper reportedly told BBC Wales that PHW “should have taken [the data] down quicker.”
According to BBC, after the data was uploaded at 14:00 on Aug. 30, the person who was “alerted [of] the breach” “did not follow the body's serious incident reporting procedures,” adding that the data was taken down the following morning at 09:55.
The officials assured that “immediate actions” have been taken to prevent a similar situation from occurring again, like changes to the standard operating procedures (a senior member will conduct data uploads).
Those with concerns were asked to look over the agency’s posted FAQ’s and then email the agency with any additional questions.