Pharmaceutical company AstraZeneca has blamed “user error” for leaving a list of credentials unsecured online for more than a year that exposed access to sensitive patient data.