Covid vaccination booking system at centre of privacy breach stood up “at pace”

NEWS - eHealthNews.nz editor Rebecca McBeth

Canterbury DHB’s Covid-19 vaccination booking system, which potentially exposed more than 700 people’s details, needed to be stood up at pace to “continue the momentum of the vaccination rollout”, the executive lead for the DHB’s Covid-19 response says.

The DHB went live with a vaccination booking system on Friday 26 March and invited 2500 household members and whānau of frontline border workers to make appointments.

However, the system was taken down that evening after a whistleblower with “strong technical skills” detected a security vulnerability in the code and contacted the Ministry of Health.

Details including name, gender, age, and NHI number of 716 people who had registered with the system were potentially able to be viewed before it was taken offline. 

The Ministry says there is no evidence of any malicious breach, access to this information or sharing of it further.

A national booking system for Covid-19 vaccinations is being built on Salesforce, and will be available in May.

Ralph La Salle, executive lead for CDHB’s Covid-19 response, said Canterbury will move to the national booking system once implemented but chose to use indici, from Valentia Technologies, in the interim, “due to the need to continue the momentum of the vaccination rollout”.

“Valentia Technologies was chosen as other DHBs were already using indici as a booking system for staff bookings, the DHB already has an existing contract with them as an IT services provider and there was a specific need for a system we could stand up at pace.” 

AUT professor of engineering, computer and mathematical sciences Dave Parry says the breach is “not hugely serious” as it did not expose critical health information, but is not acceptable.

He says while the national system is being developed, 20 DHBs are trying to set up their own vaccination booking systems, probably with little spare time or resources.

“When you try to do things quickly you don’t have enough time to fully test and there was probably also a feeling that it is not worth investing huge resources because it will be replaced by a national system fairly soon,” he tells eHealthNews.nz.

“This goes to the broader picture of underinvestment in health IT in New Zealand and the reactive nature of setting these systems up.” 

“Having a robust set of booking systems available to interface with other systems would be very useful across the country.”

La Salle says the DHB has contacted the individuals affected or potentially affected to let them know and to apologise.
 
“There were some people who were understandably upset by the news, but the majority were most concerned with whether their vaccination would go ahead or not – and they will,” La Salle says.
 
The DHB is now making bookings by calling people directly until an electronic system is 
thoroughly tested and available again.

President of technical services at Valentia Technologies Javad Ahmed says the bespoke vaccination appointment booking application was provided to some DHBs on a temporary basis pending the release of a national system.

Upon being notified of an issue with the system last week, this was “immediately rectified”, he says.

He adds that the application is hosted separately from the indici practice management system and had no impact on the PMS platform.

Director-general of health Ashley Bloomfield described the incident as “unfortunate” saying, "all health services take the privacy of individuals very seriously".

Prime Minister Jacina Ardern told a press conference, “that’s not a situation anyone wants, we are working closely with the DHB on what’s happened here, but it is not an issue we believe has occurred in any other DHBs.”

If you would like to provide feedback on this news story, please contact the editor Rebecca McBeth.

Read more Covid-19 news

Return to eHealthNews.nz home page