Flaw on NHS jab website allows working out another's vaccine status

Security flaw is exposed on NHS Covid jab booking website that allows users to work out another person’s vaccine status

  • Flaw in vaccine booking website means people can work out another’s status
  • Service requires NHS number or information including name, DOB and postcode
  • Responses on subsequent screen can show whether they’ve been vaccinated 

An apparent flaw has been uncovered on the coronavirus vaccine booking website that allows anyone to work out another person’s status using basic personal information. 

The service for England requires an individual’s NHS number or simply their name, date of birth and postcode to arrange an appointment. 

Using such simple details, the responses on the subsequent screen can be used to deduce whether a person has been vaccinated. 

According to The Guardian, using the information of a person who has not had any jabs goes through to a standard screening page. 

However, if the person has had both or one of their vaccination doses, this is disclosed on the next screen.  

An apparent security flaw in the NHS Covid-19 jab booking website has been exposed as it has been reported it allows anyone to work out another person’s status using basic personal information, including name, DOB and postcode (FILE PHOTO)

An individual who has had their first vaccination and has already booked a second is asked to provide a booking reference. 

Those who have had both jabs are shown a page which reads ‘you have had both of your appointments’. 

Friends, colleagues and strangers are able to find out the confidential medical information, including employers who are able to find out which of their staff had been vaccinated.  

It was reported that details can also be abused to make a second vaccine booking for people who have only had their first jab through a GP so far. 

Without any further verification, the screen lets the person book their follow-up dose if they had their first jab at the GP.  

Across the UK, nearly 35 million people have received the first dose of their vaccination, while more than 16 million people have received the second. 

Across the UK, nearly 35 million people have received the first dose of their vaccination, while more than 16 million people have received the second

In total, more than 51,225,000 vaccinations have been given across the country.    

Silkie Carlo, director of privacy campaigners Big Brother Watch, said: ‘This is a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important. 

‘This online system has left the population’s Covid vaccine statuses exposed to absolutely anyone to pry into.

‘Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll.

‘This is personal health information that could easily be exploited by companies, insurers, employers or scammers.’ 

An NHS Digital spokesman said it is reviewing and improving the standard messages that are presented on the website. 

Today, 2,613 new coronavirus infections were reported, a 6.9 per cent increase on last Thursday, while 13 deaths were reported, down 40.9 per cent from last week

A statement said: ‘Over 17 million first and second dose appointments have been made in over four months. 

‘This is making a significant impact on the management and containment of the pandemic and is saving lives.  

‘The system does not provide access to anyone’s medical record and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose.’

At the moment, those aged 40 or over as well as those who are high risk from Covid-19 and those who have a condition that puts them at a higher risk can book their vaccine on the portal. 

It is also available for those with a learning disability, frontline health or social care workers and those who receive a Carer’s Allowance, who get support following an assessment by their local authority or GP record shows they’re a carer.    

Source: Read Full Article