Poorly-designed processes and shoddy information-systems, coupled with a prevailing atmosphere of general mismanagement, have created a privacy nightmare for Americans being vaccinated against COVID-19; some of the problems being created now will likely still impact people many years after the pandemic ends. And, ironically, while so many pundits continue to raise privacy concerns about “vaccine passports” – properly implemented passports would likely create far fewer privacy issues than we have already already created by our vaccine mismanagement.
Hospitals, medical clinics, labs, pharmacies, insurance companies, and others involved in the vaccination process often require people who want to be vaccinated to share large amounts of both medical and demographic data in order to register for vaccine appointments. In many cases, the parties collecting the data have provided little or no indication as to how the collected information will be stored, used, or protected.
While many of the details demanded from registrants might be useful to those studying either the effectiveness or adverse side-effects of COVID-19 vaccines, other information required in order to register for vaccination seems to be less relevant. Many registration systems, for example, require that people provide their home addresses, cellphone numbers, email addresses, and details about their professional lives, in addition to answering questions about medical conditions, ethnicity, race, gender, height, weight, allergies, etc. In some cases, Voice-over-IP numbers are not acceptable as cellphone numbers either – meaning that registrants must increase their cyber-risk by providing their actual cellphone numbers to a party that has offered no information about how that data will be protected.
It is important to realize that many registrants may be uncomfortable with providing vaccinators with some or all of the required information, and share their details only under duress. For several months, the vast majority of vaccine recipients in the USA have been people who were at high risk for life-threatening danger from COVID-19; many such folks were offered vaccines through only one venue, and were well aware that any failure to quickly comply with registration requirements would, in many cases, delay by weeks their ability to receive an initial dose, and, as such, literally prolong their exposure to life-threatening danger and/or force them to extend their seclusion in near-total physical isolation.
Additionally, vaccine shortages all over the country have incentivized millions of Americans to register for vaccination at multiple sites, with the intent of receiving the vaccine at whichever site has the first actual availability; because registration is not centralized, and sites that collect data during the registration process are not required to delete the data if a person vaccinates elsewhere, millions of records of sensitive information now live in multiple databases.
One need not be a genius to understand the tremendous value of the collected data to healthcare businesses – there is little doubt that some parties collecting personal information will use it to guide their own marketing efforts and in attempts to boost sales of medications, healthcare products, and medical services, while other collectors of data will seek to capitalize through the licensing of valuable information to others – either directly on in anonymized forms, when such is required. It is also not uncommon for firms in the healthcare vertical to symbiotically share various types of information with one another; private healthcare-related data is also almost always shared during the M&A process – even before deals have closed.
While the CDC recently instructed that vaccinators not use for commercial marketing purposes data collected as part of the COVID-19 vaccine process, there is little doubt that compliance with such instructions will be far from perfect both now and in the future. Additionally, even if not the data is not used for marketing, it may be used for other purposes undesirable to those who provided it. I wonder, for example, if providers of life insurance will seek to obtain medical information provided by applicants at the time of COVID 19 vaccinations.
Furthermore, even if all vaccinators were to act as saints, healthcare organizations are regularly breached by hackers; criminals constantly seek to steal relevant data for exploitation in order to commit insurance fraud, Medicare fraud, identity theft, and other nefarious acts.
While some of the data collected by vaccinators, may be, in theory, protected by the Health Insurance Portability and Accountability Act (HIPAA) and/or other healthcare-data privacy laws, many sites collecting data are likely not regulated as such. Furthermore, even in cases of facilities normally subject to HIPAA requirements, the reality is that many vaccine-related computer systems remain severely deficient when compared with normative data security and privacy practices.
I have personally witnessed several such problems. Two weeks ago, for example, I received an email from the hospital overseeing the vaccination process in my area, in which the facility provided a link at which I could download an electronic version of my vaccine card. The link contained a unique number at the end – but the number was hardly random; by sequentially increasing or decreasing the number at the end of the URL, I was able to access the login pages for others who were vaccinated. Each login page provided me with the complete first and middle names of a person who was vaccinated, along with the first letter of that person’s last name – providing such information on a login page is certainly a questionable practice. (Keep in mind that the vast majority of people vaccinated early on came from only a few towns and were within a certain age range – making search results unique or near unique even for relatively common names.) Worse, yet, the only information needed to authenticate and view anybody’s vaccine card was the user’s Zip Code, Birthday, and Cellphone Number – which, for many people, can easily be found using simple Google searches. Ironically, the vaccinator had required people to provide cellphone numbers while registering in order to text out-of-band one-time-passwords needed to confirm registrations; somehow, when it came to protecting medical information, the same provider chose to treat widely known cellphone numbers as if they were passwords, rather than to use that information to strongly authenticate people via out-of-band authentication. (Note: I informed the provider of the issue immediately upon discovery, and waited over two weeks afterwards before publishing this article – yet, the vulnerability remains.)
While it may be tempting for us to dismiss poor management systems as an understandable result of pandemic-related disruptions, such an attitude would be self-delusional. Not only have far more robust registration and information-retrieval systems been available commercially for many years, but the whole world has known for almost a year that vaccination management systems would be needed once COVID-19 vaccines were available. There is no excuse for the lack of planning and preparation – especially when we know that multiple other countries have done far better than we have. The same reasoning holds true for so called “vaccine passports” – why are lawmakers discussing and debating the matter now, rather than a year ago?
And, of course, any justifications that we offer for our having deployed severely deficient systems will not lessen the pain caused by criminals who steal data now and continue to exploit it for many years after the pandemic has been relegated to history books.
While there is no way that you can totally protect yourself against the data risks associated with being vaccinated (other than by taking a far greater risk by choosing not to get vaccinated), here are some ways to help reduce your exposure:
● Provide as little information as possible to vaccinators. Discuss any medical questions with your doctor – in many cases, after speaking with your doctor, you do not need to share any related information with the vaccinator.
● If possible, register for vaccination through a provider that already has your medical information, and that is already familiar with, and subject to the requirements of, HIPAA.
● If possible, register using only one system, and for only one site.
● If you see a potential security and/or privacy risks – notify the provider. But don’t hold your breath for a fix.