Vaccine booking site flaw allows people to work out another user’s status
6 May 2021, 15:24
Using basic personal details, booking pages enable users to deduce whether someone has had a jab.
An apparent flaw has been uncovered on the coronavirus vaccine booking website that allows anyone to work out another person’s status using basic personal information.
The service for England requires an individual’s NHS number or simply their name, date of birth and postcode to arrange an appointment.
Using such simple details, the responses on the subsequent screen can be used to deduce whether a person has been vaccinated.
According to The Guardian, using the information of a person who has not had any jabs goes through to a standard screening page.
An individual who has had their first vaccination and has already booked a second is asked to provide a booking reference.
Those who have had both jabs are shown a page which reads “you have had both of your appointments”.
It was reported that details can also be abused to make a second vaccine booking for people who have only had their first jab through a GP so far.
Silkie Carlo, director of privacy campaigners Big Brother Watch, said: “This is a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important.
“This online system has left the population’s Covid vaccine statuses exposed to absolutely anyone to pry into.
“Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll.
“This is personal health information that could easily be exploited by companies, insurers, employers or scammers.”
An NHS Digital spokesman said it is reviewing and improving the standard messages that are presented on the website.
“Over 17 million first and second dose appointments have been made in over four months,” a statement said.
“This is making a significant impact on the management and containment of the pandemic and is saving lives.
“The system does not provide access to anyone’s medical record and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”
