Euro Security Watch with Mathew J. Schwartz

Breach Notification , COVID-19 , General Data Protection Regulation (GDPR)

Breach of COVID-19 Test Data Undermines Pandemic Response

'Human Error' Results in 18,000 Individuals' Test Results Being Exposed in Wales
Breach of COVID-19 Test Data Undermines Pandemic Response

What's one of the worst things that can happen during a pandemic? The answer is anything that gives people less trust in their public health system to handle the crisis, potentially leading to lower compliance with essential government guidance and undercutting efforts to eradicate the outbreak.

See Also: Restructuring Your Third-Party Risk Management Program

Enter a U.K. data breach that has exposed personally identifiable information for every one of the 18,105 residents of Wales who tested positive for COVID-19 from Feb. 27 to Aug. 30.

"Don't let this mistake put you off getting tested." 

Public Health Wales, the national public health agency, first disclosed the breach on Monday, saying it was the result of "individual human error" and had occurred on Aug. 30 after the PII was "uploaded by mistake to a public server where it was searchable by anyone using the site." Public Health Wales says it immediately excised the data after being alerted to the breach. "In the 20 hours it was online it had been viewed 56 times," the agency says.

The health agency says the exposed information falls into two categories:

  • Lower risk of identification: For 16,179 individuals, exposed information "consisted of their initials, date of birth, geographical area and gender, meaning that the risk they could be identified is low."
  • Higher risk of identification: The remaining 1,926 individuals live in nursing homes or supported housing - including homelessness hostels, refuges, long-term accommodation for individuals unable to live in the community - and the exposed information included the above, as well as the name of the setting in which they live.

For the individuals for whom more information was exposed, "the risk of identification for these individuals therefore is higher but is still considered low," Public Health Wales says, noting that the U.K.'s Information Commissioner's Office has been alerted, and a full investigation is underway.

Even so, these types of errors are anathema to trust in the public health system and can compound compliance problems with various levels of lockdown restrictions that have been imposed by the four countries that comprise the U.K. - not just Wales, but also England, Scotland and Northern Ireland.

"We recognize that the disclosure of any confidential personal information is likely to cause concern and anxiety among those affected and we deeply regret that this has happened," Public Health Wales says.

As one doctor in Wales tweeted: Don't let this breach stop you from getting tested.

UK Cases Spike

In the U.K., so far, 371,125 individuals have tested positive for COVID-19, including 2,621 on Monday, according to official figures, and at least 41,637 deaths due to the disease have been counted. A recent surge in infections has led officials in England and Scotland to mandate a new "rule of six," which prohibits social gatherings - indoors or out - of more than six people. Violators in England can face fines of up to £3,200 ($4,125).

Seven-day average of new COVID-19 cases in Britain, with caveat that the country's testing capability has recently crashed. (Source: U.K. COVID-19dashboard)

In some regions of the country - including Birmingham and Glasgow - visiting other people's houses has also been prohibited, due to rising infection rates.

Accurate counts of infection rates have been stymied in recent days, however, by Conservative Prime Minister Boris Johnson's administration warning that it has put in place insufficient testing capacity, leading to excessive delays in getting back test results. Public health officials say the crash in testing capabilities prefigures what is expected to be a surge in cases this winter.

As part of the government's pandemic response, Johnson initially promised to have a digital contact-tracing app in place by mid-May, which would centrally track all users and include scant security or privacy protections, despite security experts warning that such safeguards would be mandatory for adoption.

After testing early versions of its app this past spring, the government made a U-turn, promising to follow a privacy-preserving approach and saying the app might finally be ready by winter.

Prime Minister Boris Johnson speaks at an Sept. 9 COVID-19 press conference. His administration has struggled to issue easy-to-understand guidance for individuals to safeguard themselves and others during the pandemic. (Photo: Pippa Fowles, Prime Minister's Office)

Now, Johnson's government has promised that a contact-tracing app for England and Wales will be launched on Sept. 24.

Anonymized Tracking

In contrast to the weak Westminster-led response, Northern Ireland launched its app, called StopCOVID NI, for Apple and Google devices on July 31.

"This could be the most important thing you do all year," Northern Ireland Health Minister Robin Swann said at the time. "It could prevent you from spreading the virus to people you care about."

Officials say StopCOVID NI has been downloaded by 350,000 individuals, and so far, the app has notified 1,000 of them that they might be at risk. Public health officials in Northern Ireland say they're developing a version of the app targeted at those younger than age 18.

Northern Ireland's app was designed by NearForm, which also built an app for the Republic of Ireland, which made the code open source in July to help other governments.

The StopCOVID NI digital contact-tracing app launched on July 31 for residents of Northern Ireland

Scotland launched its own contact-tracing app, Protect Scotland, also designed by NearForm, on Thursday. "I would encourage everyone to download the free app if they have a compatible smartphone and help slow the spread of COVID-19. This will support the work of NHS Scotland and has the potential to help avoid local lockdowns," said Scotland's First Minister Nicola Sturgeon.

How Digital Contract-Tracing Apps Work

Using updates Apple and Google have added to their operating system, the apps use Bluetooth to exchange non-identifiable information in the background with other capable devices, logging their proximity and duration but capturing no location data.

If someone receives a positive COVID-19 test, they will receive a text message inviting them to enter a code, generated by their app, that will allow health authorities to see the anonymized IDs of everyone with whom they came into contact for a specified duration. The app can then be set to flag the devices using these IDs - again, anonymously - so individuals can be warned to self-isolate, as they may be at increased risk of having caught the disease.

Five-day average of daily confirmed new COVID-19 cases globally as of Sept. 13 (Source: Johns Hopkins Coronavirus Research Center)

Whether digital contact tracing apps have a demonstrable impact on improving the suppression of new COVID-19 infections remains to be seen. But as the pandemic continues, and infection and death rates rise - more than 29 million cases and 929,000 deaths having been recorded worldwide - we need all the help we can get.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.