Public Health Wales has confirmed that it accidentally published the personal data of 18,105 people who tested positive for coronavirus.
The information was accessible on a publicly accessible server for 20 hours on 30 August.
In most cases, patients’ initials, dates of birth, geographical area and gender were exposed, which fortunately presents little risk.
However, 1,928 people who live in nursing homes or supported accommodation also had the name of their place of residence revealed.
As such, anyone who viewed the information and knew one of the patients would be much more likely to identify them.
“Should never have happened”
Public Health Wales Chief Executive Tracey Cooper told BBC Wales that the failure was one of the “biggest data breaches” she had come across and that it “should never have happened”.
She added that the organisation could have acted more quickly in removing the information.
The employee responsible for data breach response was alerted to the incident on the evening of 30 August but didn’t follow the body’s serious incident reporting procedures.
The data wasn’t removed until 9:55 the next morning, during which time it had been viewed 56 times.
The ICO (Information Commissioner’s Office) and the Welsh Government have since been informed.
This is the second time that the Welsh NHS has had to refer itself to the ICO over a data breach during the coronavirus pandemic.
In April, NHS Wales Informatics Services – which oversees the health service’s IT operations – contacted the data protection watchdog after 13,000 shielding letters were sent to the wrong addresses.
The Welsh Conservative spokesperson on health, Andrew RT Davies MS, said: “I acknowledge that the risk is considered to be ‘low’, but I’m not sure that that will be much comfort to the nearly 2,000 residents of care homes or other enclosed settings whose – albeit limited – information was posted along with their place of residence.
“The health minister appears to have sat on this for two weeks and done a press conference earlier today without disclosing this significant failing – and that’s unacceptable.”
His Plaid Cymru counterpart, Rhun ap Iorwerth MS, said: “Any data breach is serious, and this data breach including potential means of identifying patients is of serious concern.
“Public Health Wales and the Welsh Government have to be able to explain how exactly this happened, and give assurances that this can’t happen again.”