The National Health Service (NHS) has been forced to review its Covid vaccine system after finding a “seriously shocking failure” that could leak confidential medical data from the site used to make appointments.
Using their NHS number or by verifying their identity, vaccine-eligible users can book appointments for their Covid jab. However, it turned out that there is currently no built-in protection in place to protect against a person’s confidential vaccination status being revealed to anyone with basic personal information about them.
This means that managers, for example, can potentially keep an eye on whether and which of their employees had been vaccinated using only their names, dates of birth and postcodes.
The problem is that the site offers users different answers based on their vaccine status when entering personal information. For those who do not yet get a shot, they enter their information on a standard screening page, while those who have received a jab and reserved their second are taken to a screen requesting their reservation reference to manage appointments.
Also on rt.com
NHS app for use as Covid passport and can serve for travel abroad, reveals the British Secretary of Transport
For users who have received both images, the basic personal information sends them to a page that confirms them “Have had both [their] agreements. ” Alarmingly, people who have received a shot through their doctor can book their second without further verification required.
A spokesman told the Guardian that NHS Digital – the health service’s IT partner – was revising the pages. “The system does not have direct access to anyone’s medical record, and people should not use the fraud fraudulently – it should only be used by people who book their own vaccines, or to someone who has deliberately provided their information for this purpose.”
In a series of tweets, the privacy dog Big Brother Watch warned that the system left vaccination status “Exposed to absolutely everyone to pry in,” and added that “Personal health information could be easily exploited by insurance companies, employers or fraudsters.”
This personal health information can be easily exploited by insurance companies, employers or fraudsters. Protection needs to be introduced now and an inquiry opened to determine how such a basic privacy protection is lacking on one of the most sensitive health databases in the country.
– Big Brother Watch (@BigBrotherWatch) May 6, 2021
“This is a serious shocking lack of protection of patients’ medical confidentiality at a time when it could not be more important,” the group’s director, Silkie Carlo, said in a statement, noting the date of birth and zip code “Are data fields that can be easily found or purchased even on the selection list.”
Carlo called for the immediate institution of “Robust protection” and one “Urgent investigation” into “How basic privacy protection could be lacking in one of the most sensitive health databases in the country.”
A spokesman for the National Data Guardian (NDG), working with the Department of Health and Social Care to regulate the use of health data, reiterated these concerns to the Guardian, saying the website was designed to be like “Simple and easy as possible” to use.
They said NDG has contacted the organizations that run the site “To ensure that they are aware of the concerns raised and will discuss with them the two key objectives of protecting confidentiality while maintaining easy access to vaccinations for the public.”
Expected, the reaction from the British on social media was not so forgiving. A number of users questioned the NHS ‘ “Satisfaction” and “Naive” by simply asking the public not to do so “Fraudulent” use the site.
NHS Covid jab booking site delicious people’s vaccine status I’m really shocked by this. Did no UXs run any malicious scenarios across this app? & for NHS Digital to say “no one should use it fraudulently” is naive at best. Bad work. https://t.co/MiKNdacLwP
– Annie Drynan (@Drys) May 6, 2021
Do you like this story? Share it with a friend!