NHS vaccination website leaks people's medical data
Simple personal information can be used to expose someone else’s vaccination status
A gaping security hole has been discovered in the NHS vaccination booking website, which can be easily exploited to find out whether someone has received a jab.
The problem relates to the way the website treats different users, depending on how far along they are in the vaccination process.
For example, if someone has not yet received any jabs, they will be funnelled to a screening page, while someone using the website to book a second jab will be prompted for a booking reference. A user who has already received both shots, meanwhile, will be redirected to a page that reads: “You have had both of your appointments.”
- We've built a list of the best password managers out there
- Check out our list of the best VPN services around
- Here's our list of the best proxy services available
While the website asks users for their NHS number, bookings can also be made using basic personal information, meaning anyone could exploit the system to access the vaccination status of anyone else.
Even more egregious, the website allows anyone with access to someone else’s personal data to book a second vaccination appointment on that person’s behalf, provided the first jab was administered by a GP.
Vaccine data disaster
Beyond the obvious breach of privacy, there are concerns vaccination status data could be abused by employers to check which of their staff have been vaccinated. Others have suggested scammers could use the information to execute targeted phishing attacks.
“This is a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important,” said Silkie Carlo, Director at privacy advocate group Big Brother Watch.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“This online system has left the population’s Covid vaccine statuses exposed for absolutely anyone to pry into. Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll.”
In response to complaints, NHS Digital has said it will revise the booking process to shield the vaccination status of UK citizens. However, the health service technology provider defended the simplicity of the website, which it claims has allowed millions to book vaccination appointments with ease.
“The online ‘book a coronavirus vaccination’ service has enabled millions of people to book their vaccinations quickly and easily, with over 17 million first and second dose appointments made in over four months,” said an NHS Digital spokesperson.
“The system does not have any direct access to anyone’s medical records and people should not be fraudulently using the service. It should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.”
- Here's our list of the best identity theft protection services around
Via The Guardian
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.