Your health data is supposed to be confidential with proper protections to ensure it doesn’t fall into the wrong hands, but a mistake as simple as clicking the wrong button can cause sensitive information on thousands of people to leak to the public.
On Monday, Public Health Wales disclosed that it accidentally leaked personal data of 18,105 Welsh residents who tested positive for COVID-19, which was visible for 20 hours on a public server on August 30 and viewed up to 56 times, the agency said.
The data belonged to every Welsh resident who tested positive for COVID-19 between February 27 and August 30. It included people’s initials, date of birth, gender and general location, but not specific information on who they are. But for a subset of 1,926 people who live in supported housing or nursing homes, the data included the names of those locations.
The data is supposed to be posted to Public Health Wales’ internal private Tableau dashboard, but instead ended up on the public facing page instead after a staffer accidentally clicked the wrong button.
“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed,” Tracey Cooper, Public Health Wales’ chief executive said in a statement. “I would like to reassure the public that we have in place very clear processes and policies on data protection.”
Public Health Wales said it’s since separated its internal and public dashboard process to make sure the mistake can’t happen again, as well as adding more checks to ensure people are uploading data to the proper servers.
The agency said the National Health Service was carrying out an independent investigation, and looking into why the patients’ data was not anonymized.
Public Health Wales said it considered the leaked data low-risk, since it was up for a limited time and the information was limited, and will not be contacting the people affected by the breach.
The breach in Wales is not the first, with COVID-19 patients in South Dakota suffering a data leak in June. In South Korea, health officials also use personal data to track the spread of the disease, which also raised privacy concerns.
In September, Los Angeles County announced a partnership with Citizen for contact tracing, but the app shows precise location data for possible exposures to COVID-19, which would allow people to figure out who has the disease.
Privacy advocates are warning that protecting the data associated with COVID-19 patients is just as important. If people don’t trust that their privacy is being protected, they’re less likely to take tests and volunteer to be tracked, for example.
US lawmakers are proposing privacy protections for COVID-19 data, to make sure that the information is only used for public health purposes and can’t be used for government surveillance or company profits.
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.