NHS Digital, used for COVID-19 vaccination booking in the UK, after discovering a massive failure caused by the leaking of sensitive medical data from the site, is now reshaping the process by which it accepts bookings. Since its launch, NHS Digital required users to make appointments for COVID-19 vaccination by either providing their NHS number or some basic identity information.
Here’s where the problem arose: NHS Digital ended up disclosing the vaccination status of its users to just about anybody who can manage to obtain basic information about their friends, coworkers, or family.
Employers, for instance, can find out the vaccination status of their employees by simply providing their basic info on NHS Digital. This would, in some cases, even result in employers pressuring their employees to get vaccinated, or simply exert peer pressure by making vaccination data public within the organization.
Here’s where things get even worse: While users who haven’t taken even a single shot of the vaccine are asked to enter details on the website, the ones who have had their first shot by a general practitioner and are applying for the second shot are directly allowed to book their second shot without any further authentication or verification.
Furthermore, users who have gotten both the vaccine shots are having their vaccination status immediately revealed when their basic information is entered on the site.
“This is a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important. This online system has left the population’s Covid vaccine statuses exposed to absolutely anyone to pry into. Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll,” said Silkie Carlo, the director of Big Brother Watch.
Carlo further highlighted that such sensitive vaccination data can be potentially exploited by scammers, companies, and insurers while calling for an “urgent investigation” to find out how such “basic privacy protections” were missing from such a sensitive and private health database.
A spokesperson for the national data guardian (NDG) for health and social care said that the office had received concerns with regards to NHS Digital and that NDG had gotten in touch with the parties responsible for the website. NHS Digital, on the other hand, said that the pages were going to be revised to eliminate the privacy threat.
The incident is similar to New York’s vaccine passport, that was leaking private medical data to anyone who entered a person’s address details.