NHS Digital is revising its process for booking Covid vaccinations in England after the discovery of a “seriously shocking failure” that leaked medical data from the site.
The website lets users make appointments using their NHS number or, if they do not have it to hand, some basic identity information. But in the process, users’ vaccination status is disclosed, allowing anyone who possesses basic personal details of a friend, colleague or stranger to find out what should be confidential medical information.
Employers would therefore, in theory, be able to trivially find out which of their staff had been vaccinated, for instance, while others may feel under pressure not to get the vaccine for fear of criticism from anti-vaccination friends or colleagues.
The problem comes because of the different responses the vaccination website gives to users based on their vaccination status. For users who have not had any jabs, entering personal details takes them straight through to a standard screening page, while for users who have had their first shot and booked their second, they are presented with a screen asking for their booking reference to continue.