[BreachExchange] Data on 18, 105 coronavirus patients leaks after staffer clicks wrong button
Destry Winant
destry at riskbasedsecurity.com
Wed Sep 16 10:15:10 EDT 2020
https://www.msn.com/en-us/news/technology/data-on-18105-coronavirus-patients-leaked-after-staffer-clicks-wrong-button/ar-BB19468v
Your health data is supposed to be confidential, with protections to
ensure it doesn't fall into the wrong hands, but a mistake as simple
as clicking the wrong button can cause sensitive information on
thousands of people to leak to the public.
On Monday, Public Health Wales disclosed that it accidentally leaked
the personal data of 18,105 Welsh residents who tested positive for
COVID-19, and that data was visible for 20 hours on a public server on
Aug. 30 and viewed up to 56 times, the agency said.
The data belonged to every resident of Wales who tested positive for
COVID-19 between Feb. 27 and Aug. 30. It included people's initials,
date of birth, gender and general location, but not specific
information on who they are. Still, for a subset of 1,926 people who
live in supported housing or nursing homes, the data included the
names of those locations.
The data is supposed to be posted to Public Health Wales' internal
private Tableau dashboard, but instead ended up on the public- facing
page after a staffer accidentally clicked the wrong button.
"We take our obligations to protect people's data extremely seriously
and I am sorry that on this occasion we failed," Tracey Cooper, Public
Health Wales' chief executive, said in a statement. "I would like to
reassure the public that we have in place very clear processes and
policies on data protection."
Public Health Wales said it's since separated its internal and public
dashboard processes to make sure the mistake can't happen again, and
added more checks to ensure that people are uploading data to the
proper servers.
The agency added that the National Health Service is carrying out an
independent investigation and looking into why the patients' data was
not anonymized.
Public Health Wales considers the leaked data low-risk, since it was
up for a limited time and the information was limited, and said it
won't be contacting the people affected by the breach.
The breach in Wales is not the first that spilled information on
people dealing with the novel coronavirus . COVID-19 patients in South
Dakota suffering a data leak in June. In South Korea, where health
officials use personal data to track the spread of the disease, also
has raised privacy concerns.
In September, Los Angeles County announced a partnership with Citizen
for contact tracing, but the app shows precise location data for
possible exposures to COVID-19, which would allow people to figure out
who has the disease.
Privacy advocates are warning that protecting the data associated with
COVID-19 patients is essential. If people don't trust that their
privacy is being protected, they're less likely to take tests and
volunteer to be tracked.
US lawmakers are proposing privacy protections for COVID-19 data, to
make sure that the information is only used for public health purposes
and can't be used for government surveillance or company profits.
More information about the BreachExchange
mailing list