A Simple Wrong Click Led to the Exposure of Covid-19 Patients Data

By:  |  Category: Blog, Security Tuesday, September 15th, 2020  |  No Comments

We all hit the wrong button sometimes. Unfortunately, in Wales, an employee made a big “oops” and hit the external “publish” button, exposing the personal data of 18,105 Welsh residents who tested positive for COVID-19, and that sensitive information was visible for 20 hours on a public server on Aug. 30 and viewed up to 56 times, the agency said

So much for confidential health rights! It just goes to show that even with the best protections in place, a simple mistake can wreak havoc.

The data documented the results of those residents who tested positive for COVID-19 between Feb. 27 and Aug. 30. It included people’s initials, date of birth, gender and general location, but not specific information on who they are. But it’s not rocket science. For the 1,926 people who live in supported housing or nursing homes, the data included the names of those locations. Any good hacker could put the pieces together.

The confidential data is intended to be posted to Public Health Wales’ internal private Tableau dashboard, but accidentally ended up on the public- facing page after a staffer hit the wrong button. 

“We take our obligations to protect people’s data extremely seriously and I am sorry that on this occasion we failed,” Tracey Cooper, Public Health Wales’ chief executive, said in a statement. “I would like to reassure the public that we have in place very clear processes and policies on data protection.”

“We have commenced a swift and thorough external investigation into how this specific incident occurred and the lessons to be learned. I would like to reassure the public that we have taken immediate steps to strengthen our procedures and sincerely apologize again for any anxiety this may cause people.”

The good news is that Public Health Wales said it’s since made some big changes in their internal processes and have separated the internal and public dashboard to protect against further accidental exposures and have added additional checks to make sure that people are uploading data to the correct servers.

The National Health Service is also initiating an independent investigation and looking into why the patients’ data was not anonymized.

It’s not the first Covid-19 data leak. Patients in South Dakota suffered a data leak in June. LA County has had its issues too. In September, LA announced a partnership with Citizen for contact tracing, but the app shows precise location data for possible exposures to COVID-19, which would allow people to figure out who has the disease. 

Privacy advocates are up in arms. People will not volunteer for tracing programs if their data is exposed.

US lawmakers are proposing privacy protections for COVID-19 data, to make sure that the information is only used for public health purposes and can’t be used for government surveillance or company profits.

“Clearly, this is an unfortunate mistake,” said Richard Meeus, security, technology and strategy director at Akamai Technologies. “Sadly, these kinds of issues are something we often observe across the online world, so it is essential that companies continuously work to educate employees of their responsibilities when handling personal data and the crucial considerations around GDPR [General Date Protection Regulation].

“Furthermore, businesses and organizations can adopt measures themselves that prevent or mitigate the impact of a potential situation like this, such as employing the principle of least privilege, which states that employees can only perform actions required to do their job, allowing for additional checks and verifications for processes that could have unwanted consequences.”

If you need assistance with Managed IT Services or Security Services give EnhancedTECH a call at 914-970-9330.



Image Source: https://www.pexels.com/photo/yelling-formal-man-watching-news-on-laptop-3760778/

Leave a Comment
Read previous post:
Microsoft’s Fight Against Deepfake Images Takes a New Approach

We’ve all seen just how remarkably real some of these fake videos look. I even have a friend on Instagram...