NHS Digital revising Covid vaccine booking site after ‘users info leaked’

NHS Digital is revising the process for booking Covid vaccinations following reports medical data could be leaked from the website.

According to The Guardian, the website only requires basic personal information to reveal a person’s Covid vaccination status.

The office of the National Data Guardian for health and social care confirmed to Digital Health News it had been contacted by people concerned about the “way that the coronavirus booking website works”.

To book an appointment through the website people will need their NHS number, or be required to provide basic identity information including their name, date of birth and postcode.

But it was reported that during that process, a person’s vaccination status is disclosed, which could allow anyone with basic personal information about a friend, family member or colleague, to access their medical information.

In theory, it could allow employers to find out if their staff have been vaccinated, for example.

The issue, first reported by The Guardian, is supposedly caused because of different responses the website gives to users based on their vaccine status. Those who have had the jab get taken straight to a screen asking for their vaccine booking reference, while those who have not had the jab are taken to a screening page.

For those who have had only their first jab the website reportedly allows them to book their second dose without any further verification.

Phil Booth, coordinator of privacy group medConfidential, told Digital Health News the potential for data leaks was “indefensible”.

He said if the government wanted to use patient’s Covid-19 data in the future it must first prove “they are competent and can be trusted”.

“Exposing people’s medical information in this way is indefensible. It’s an avoidable error that should’ve been picked up at the design stage,” he said.

A spokeswoman for the National Data Guardian for health and social care said: “The office for the National Data Guardian has been contacted by some individuals with concerns about the way that the coronavirus booking website works.

“It is important that it is as simple and easy as possible for people to book their vaccinations and we understand that the website has been developed to support this aim.

“The office of the National Data Guardian has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.”

NHS Digital confirmed to Digital Health News it was working to revise the pages but assured the website does not have direct access to medical records.

“The system does not have any direct access to anyone’s medical record and people should not be fraudulently using the service – it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose,” they added.