HUMAN error was the critical factor in a data breach which led to the publication online of the personal details of more than 18,000 people in Wales who had tested positive for coronavirus, an investigation has concluded.

And opportunities were missed to remove those details from the Public Health Wales website at an earlier stage, after they were uploaded by mistake on the afternoon of Sunday, August 30.

Public Health Wales boss Tracey Cooper has today issued a fulsome apology for the breach and sought to assure the public that measures have been taken to prevent a repeat.

The information - which included the details of more than 2,800 people from Gwent - was not taken down until shortly before 10am the following morning, almost 20 hours later. It had been viewed 56 times.

Public Health Wales has accepted in full the recommendations of the independent investigation it commissioned to examine the circumstances of the breach.

The data involved personal details of 18,105 residents of Wales who had tested positive for coronavirus between February and August of this year.

Eight recommendations for action to try to prevent such a breach happening again are set out in the report and have been accepted in full by Public Health Wales.

They include measures to regularly audit procedures for information processing responsibilities, and to regularly review the demands of pandemic reporting and analysis and whether sufficient resources are available for this purpose.


The investigation also identified a specific inherent risk linked to the software publication process for internal and external information and concluded that Public Health Wales should consider "a full review of its information management, analysis and publication tools".

The investigation was carried out by Darren Lloyd, head of information governance at the NHS Wales Informatics Service, and John Sweeney, information sharing and governance manager at NHS Wales.

“This has been a thorough investigation and we accept all of its recommendations," said Public Health Wales chief executive Tracey Cooper.

"We take our obligations to protect people’s data extremely seriously, and I am truly sorry that on this occasion we failed.

“Among the investigation’s findings, it was reported that, while the incident was the result of human error in the last step of the publishing process, the publishing process itself could have included additional safeguards.

"Following the data breach, we took immediate action to address this, and the recommendations contained within this report also outline further areas that we can improve to prevent such an incident happening again.

“The report also stated that pressures of work may have been a factor. We acknowledge that, due to the unprecedented increase in demand for COVID-19 information, there has been significant pressure on the teams involved.

"Whilst we have mobilised additional resource for our teams, it has been challenging to ensure there is sufficient resource in place to keep up with the demand and pace required.

"We continue to work to ensure that our people with a greater responsibility to meet the demands of the pandemic are given the support and resources they need.

“We are aware that a number of opportunities to recognise the matter as an incident requiring immediate attention were missed.

"We acted as soon as we became aware to address this gap, and we will continue to ensure all staff fully understand their responsibilities in relation to reporting and escalating incidents, including data breaches.

“We are committed to implementing all of the recommendations outlined in the report.

"We have produced an action plan which contains the necessary actions to implement the recommendations, some of which form part of existing plans. This will supplement the steps we have already taken to strengthen our procedures.

"I would like to reassure the public that the actions we have taken have led to considerable improvements aimed at preventing an incident like this occurring again.”

There is no evidence at this stage that the data was misused. However, anyone concerned that their data or that of a close family member may have been breached, and who want advice, should read the 'frequently asked questions' at and then email if they have additional questions.

People can also call Public Health Wales on 0300 003 0032 to discuss their concerns.