Covid-19 leak inquiry

The Herald reports:

An urgent Government inquiry has been launched to uncover “exactly who” did it and why Covid-19 patient details were leaked.

State Services Minister Chris Hipkins has appointed former solicitor general Mike Heron, QC, to lead the probe into the massive Covid-19 privacy breach.

The Herald revealed on Saturday that the personal details of 18 active cases had been leaked in a spreadsheet, including their names and dates of births. Two other media outlets have also reported seeing the document.

Hipkins expected the urgent inquiry to report back by the end of the month. It will also examine how the information was stored and whether that could be improved.

As I blogged previously the data should never have been in a spreadsheet, let alone one with no password protection. You don’t need a QC to work that out.

Hipkins said there were a number of theories about how the sensitive information came to be released but he didn’t think it was human error.

“I don’t think that information tends to accidentally be sent to multiple media outlets at the same time.”

Hipkins is making an assumption, that may be unsafe.

It is fair to assume that the person who sent the info to the media did it in purpose.

But what is very possible is that person was themselves sent the information by accident – ie they were not someone meant to have it.

If you use an insecure spreadsheet, then it is very easy to send it by e-mail to the wrong person in your e-mail contacts. Possibly an official sent it to someone outside the public sector, and that person was so shocked that the data had been so insecure, that they whistleblew by sending it to the media.

I don’t know of course, but hopefully we’ll find out.