NHS Digital booking website had unexpected side effect: It leaked people's jab status

Wanna find out if your employee has had a shot? Just lob her postcode and DoB into this website


An NHS Digital-run vaccine-booking website exposed just how many vaccines individual people had received – and did so with no authentication, according to the Guardian.

The booking page, aimed at English NHS patients wanting to book first and second coronavirus jabs, would tell anyone at all whether a named person had had zero, one or two vaccination doses, the newspaper reported on Thursday.

All you need, it says, are the date of birth and postcode of the person whose vaccination status you wanted to check up on. These details are not difficult to find online with some obvious search terms.

Exposure of confidential medical information could be achieved thanks to a design decision, similar to a flaw in the UK census online form reset request that could have let anyone spoof households’ details.

Those with no COVID-19 vaccination have to sign up and hand over some personally identifying data as they do so; recipients of the first and second doses already have that info on file.

“For users who have not had any jabs, entering personal details takes them straight through to a standard screening page, while for users who have had their first shot and booked their second, they are presented with a screen asking for their booking reference to continue,” said the Grauniad. If you input the personal details of someone who had already had both jabs, that dumped you to a screen saying “you have had both of your appointments”.

An underhand employer, anti-vaxxer nutjob or similarly malicious person could therefore run vaccine checks on the status of random people with no authentication.

Various civil liberties folk queued up (rightly) to condemn this laxity, with Big Brother Watch’s Silkie Carlo leading the charge, describing it as “seriously shocking” and calling for “robust protections to be put in place immediately”.

“This online system has left the population’s Covid vaccine statuses exposed to absolutely anyone to pry into," she said. "Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll."

NHS Digital said in a statement: “The system does not have any direct access to anyone’s medical record and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”

Vaccination status is set to become a political hot potato as the UK restarts its economy following the 2020 COVID-19 shutdown. Government policy is to enforce vaccine passports, initially as a means of deterring overseas travel but rumours persist that they will be required for domestic activities. To that end, the ruling Conservatives’ insincere promise in December that vaccine passports wouldn’t become reality at all has prompted a 350,000 strong Parliamentary petition against them.

Carelessness around health data in general has been a feature of the current government’s tech-driven approach to tackling COVID-19. Such repeated incidents have a habit of lodging themselves in the public’s consciousness, making it harder to gain consent for genuine health-boosting measures based on handing data over to public sector bodies. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021