A SOCIAL care leader says a disastrous data breach by Public Health Wales has highlighted the need for major reforms.

Mario Kreft MBE, the chair of Care Forum Wales, shared his concerns about the leak which led to the details of more than 18,000 people who tested positive for coronavirus being published online for 20 hours on August 30.

Most cases involved in the data breach gave initials, date of birth, geographical area and sex, meaning the risk of identification was low, said Public Health Wales.

Mr Kreft said: “One of the key questions is why has it taken so long for Public Health Wales to admit this disastrous data breach with highly personal information being published on a website for the whole world to see?

“For whatever reason, Public Health Wales have kept this under wraps for a fortnight when they should surely have been up front about it and let people know as soon as possible.

“Something as important as this should have been brought to the attention of the people of Wales and the Welsh Government immediately. The delay was totally unacceptable.”

Mr Kreft adds that there was more risk of the nearly 2,000 people living in care homes or supported housing being identified because the data included the name of their place of residence being published.

He continues: “If something of a fraction of the magnitude of this had happened in the private sector, the regulator would have come down on the company concerned like a ton of bricks. There would have been a price to be paid and somebody would have been held to account.

“This was a dreadful mistake by an individual but the decision to keep this important information quiet was clearly taken at a high level within Public Health Wales. This is about the checks and the balances within the organisation and about how it is managed.

“The fact that this breach was allowed to happen in the first place and the ensuing lack of openness and transparency is incredibly damaging in term of the public’s trust and confidence.

“Neither does it inspire the trust of the independent sector working in social care.”

The fact that it took so long, said Mr Kreft, was hugely damaging in terms of public trust and confidence in the organisation which had “not had a great pandemic” and this must come as a “crushing blow to many of the hard-working people in the organisation”.

He continues: “This disastrous data breach has highlighted the need for far-reaching reforms of the whole of the system, not just Public Health Wales.

“If they review and reflect in an open and transparent way about what has taken place and also consult with the social care sector as part of the process, we will be able to put changes in place to make us more resilient in future.

“Luckily, many of our members had the good sense and strength of character to resist their calls in the early days of the coronavirus crisis to allow hospital patients to be discharged into care homes without testing.

“Their refusal as part of our campaign to shield social care undoubtedly saved countless lives which would otherwise have been lost if everybody had followed the guidance of Public Health Wales.

“I can only imagine that they are just reeling from one body blow after another.”

Mr Kreft says that there are still “major problems in terms of testing” - both with the overall capacity and how it’s all being managed.

He adds: "The most important thing to people running care homes is capacity - capacity to get tests done, and capacity to turn the results around quickly.

"Everyone on the ground is trying their best, but the system can be a nightmare even as it's currently organised."

In a statement, the agency said: "Public Health Wales regrets to announce that there has been a data breach involving the personally identifiable data of Welsh residents who have tested positive for Covid-19.

"A risk assessment has been conducted and legal advice has been sought, both of which advise that the risk of identification of the individuals affected by this data breach appears low.

"The incident, which was the result of individual human error, occurred on the afternoon of 30 August 2020 when the personal data of 18,105 Welsh residents who have tested positive for Covid-19 was uploaded by mistake to a public server where it was searchable by anyone using the site.

"After being alerted to the breach we removed the data on the morning of 31 August.

"In the 20 hours it was online it had been viewed 56 times."

They added: "In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area and sex meaning that the risk they could be identified is low.

"However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting.”