Details of more than 18,000 people who tested positive for coronavirus were accidentally published online by Public Health Wales.
The health body said that on August 30, data of 18,105 Welsh residents could be viewed online for up to 20 hours.
Public Health Wales (PHW) said that in most cases, early time, date of birth, geographic region and gender, mean identification risk was low.
However 1,928 people living in communal settings were at risk.
The name of their place of residence was also published for nursing home residents or those living in supported housing, meaning that the risk, while still considered low, was high.
The incident was the result of a “personal human error” when information was uploaded to a public server being searched by someone using the site.
PHW said the information was viewed 56 times before it was removed but there was no evidence yet that the data was misused.
What is Public Health Wales doing about the data breech?
Chief executive Tracy Cooper told BBC Wales that the failure was one of the “biggest data breaches” he had come across and said it “should never happen”.
Dr. Cooper also said that Public Health Wales could have acted more quickly in removing information.
The person, who was alerted to the breech at 14:00 on the evening of 30 August following the information, did not follow the body’s serious incident reporting procedures that day.
The data was not deleted until 09:55 the next morning.
Finding out why the NHS is part of the context of an external investigation conducted by Wells Informatics Service. “I think we should have taken it down quickly,” he said.
Ms Cooper said the team “takes data security responsibilities very seriously” “devastated that this has happened”.
“I cannot apologize enough because we failed on this occasion.”
Dr. Cooper said she is not considering resigning, saying: “I am the person who is accountable and as chief executive is where the buck stops.
“I want to get to the bottom of it so I’m not at this level [considering my position]. ”
PHW said it had already taken steps, including ensuring that no data was uploaded by a senior team member anymore.
What has been the reaction?
Welsh Orthodox spokesperson on health, Andrew RT Davis MS, said: “I accept that the risk is considered ‘low’, but I’m not sure that would be very relaxing for the nearly 2,000 residents in care homes or other enclosed settings – Limited Limited – Information was posted along with their place of residence.
“The Health Minister has sat on it for two weeks and had a press conference today without disclosing this critical failure – and this is unacceptable.”
His plaid Cymru counterpart, Rhun Ap Iorwerth MS, said: “Any data breech is serious, and this data breech is a serious concern, including possible means of identifying patients.
“Public Health should be able to explain to Wales and the Welsh Government exactly how this happened, and assure that it cannot happen again.”
Second Data Breach
The Information Commissioner’s Office (ICO) and the Welsh Government have been informed. The ICO said it was inquiring after the alert.
This is the second time a part of the Welsh NHS has had to refer to the ICO over a data breach during the epidemic.
In April, NHS Wales Informatics Services – the IT arm of healthcare – contacted the watchdog after sending 13,000 shielding letters to the wrong address.
Anyone concerned that their data or any close family member may be published may seek advice from Public Health Wales.
The Welsh Government said this was a matter for public health Wales.