But they really have to up their game when it comes to protecting our data

A report last month in the Guardian confirmed that “NHS Digital is revising its process for booking Covid vaccinations in England after the discovery of a ‘seriously shocking failure’ that leaked medical data from the site. The website lets users make appointments using their NHS number or, if they do not have it to hand, some basic identity information. But in the process, users’ vaccination status is disclosed, allowing anyone who possesses basic personal details of a friend, colleague or stranger to find out what should be confidential medical information.”

The Guardian piece points out that, in theory, employers would be able to find out which of their staff had been vaccinated. For instance, while others may feel under pressure not to get the vaccine for fear of criticism from anti-vaccination friends or colleagues.

The problem appears to be this

In order to book an appointment via the NHS website, patients are required to provide their NHS number. However, there is an option to access the system for patients who do not know their NHS number. This is by providing a few basic details about themselves. Once those details are provided, the website takes the user to one of the following pages depending on the individual circumstances:

  • A page requesting further details for people who have not had any of the vaccines;
  • A page requesting to book the second vaccine for people who have had the first dose;
  • Or a page confirming that the person has had both vaccines.

But, as stated above, the lack of security measures on the website can easily allow a bad actor who has access to the very basic information of a third party (a postcode might be enough!) to check if that person has been vaccinated. Needless to say a person’s vaccination status is  private medical information, which should not (absent medical emergencies) be disclosed without consent.

The National Data Guardian for health and social care has commented on the case:

“The NDG has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.”

And the ill-fated NHS vaccination website has also come to the attention of privacy group Big Brother Watch, whose director declared:

“This is a seriously shocking failure to protect patients’ medical confidentiality at a time when it could not be more important. This online system has left the population’s Covid vaccine statuses exposed to absolutely anyone to pry into. Date of birth and postcode are fields of data that can be easily found or bought, even on the electoral roll. This is personal health information that could easily be exploited by companies, insurers, employers or scammers.”

In response the NHS has confirmed that it will take measures to increase the security of the website while maintaining an easy process for people to book their vaccinations. Let’s hope that they do just that. Nobody wants to have a go at the NHS after the 18 months they’ve endured – but keeping patient medical records confidential is a basic and an absolute must if the NHS is to retain the nation’s trust.

If you are worried your medical records have been accessed without your permission, whether those details relate to your coronavirus vaccination status or other medical information, please get in touch and one of our solicitors at DRM Legal will advise if you have a valid data breach claim.