Thu 6 May 2021
NHS Digital is revising its process for booking Covid vaccinations in England after the discovery of a “seriously shocking failure” that leaked medical data from the site.
The website lets users make appointments using their NHS number or, if they do not have it to hand, some basic identity information. But in the process, users’ vaccination status is disclosed, allowing anyone who possesses basic personal details of a friend, colleague or stranger to find out what should be confidential medical information.
Employers would therefore, in theory, be able to trivially find out which of their staff had been vaccinated, for instance, while others may feel under pressure not to get the vaccine for fear of criticism from anti-vaccination friends or colleagues.
The problem comes because of the different responses the vaccination website gives to users based on their vaccination status. For users who have not had any jabs, entering personal details takes them straight through to a standard screening page, while for users who have had their first shot and booked their second, they are presented with a screen asking for their booking reference to continue.
But for those people who have received both vaccinations, simply entering the basic biographical information takes them straight to a page that says “you have had both of your appointments”. Worst of all, for those users who have had only one jab through a GP and have not booked a second, the screen lets them book their follow-up then and there, without any further verification.
“This is a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important,” said Silkie Carlo, the director of privacy group Big Brother Watch.
“This online system has left the population’s Covid vaccine statuses exposed to absolutely anyone to pry into. Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll.
“This is personal health information that could easily be exploited by companies, insurers, employers or scammers. Robust protections must be put in place immediately and an urgent investigation should be opened to establish how such basic privacy protections could be missing from one of the most sensitive health databases in the country.”
A spokesperson for the national data guardian for health and social care, who regulates the use of medical data, confirmed the concerns. “The office of the national data guardian has been contacted by two individuals about the way that the coronavirus booking website works,” she said.
“It is important that it is as simple and easy as possible for people to book their vaccinations and we understand that the website has been developed to support this aim. The NDG has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.”
NHS Digital said it was working to revise the pages, and a spokesperson said: “The online ‘book a coronavirus vaccination’ service has enabled millions of people to book their vaccinations quickly and easily, with over 17m first and second dose appointments made in over four months.
“The system does not have any direct access to anyone’s medical record and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”