Vulnerabilities in the Covid-19 vaccination booking website put the UK population's personal data at risk

Vulnerabilities in the Covid-19 vaccination booking website put the UK population's personal data at risk

NHS Digital is facing criticism after it was discovered that a vulnerability in the organisation's Covid-19 vaccination booking website had exposed confidential medical data. In the past four months, the website has facilitated the vaccination process for over 17 million people in the UK.

The website, which had been designed to ensure simplicity, allowed users to make appointments upon the provision of basic identity information (that is if they did not have their NHS number to hand). However, it was seemingly overlooked that this may enable anyone with access to such information (such as relatives, colleagues and friends) to discover confidential information relating to that person's vaccination status. Upon entering the basic identity information, users were taken to different pages. Such pages were determined by the specific stage that person was at in the vaccination process. For example, individuals who had not yet received their first jab would be taken to a standard screening page; those individuals who had received their first but not second jab were asked to provide their booking reference to continue; and those who had received both vaccinations were taken to a screen which stated "you have had both of your appointments". Of further concern, those individuals who had not yet received their second vaccination were able to book this without going through any further authentication process.

A spokesperson for the national data guardian for health and social care acknowledged concerns in a public statement: “It is important that it is as simple and easy as possible for people to book their vaccinations and we understand that the website has been developed to support this aim. The NDG has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.” 

NHS Digital has since confirmed that it is working to revise the pages.