COVID-19 Vaccination Scheduling Websites Became Prematurely Public In January

The Offices of the New York State Inspector General today released the findings of its investigation of the New York State Department of Health (DOH)’s COVID-19 vaccination scheduling website, which found myriad unintentional factors led to more than 28,000 premature appointments made by members of the public in January 2021.

On January 14, 2021, the Office of Information Technology Services (ITS) referred to the Inspector General an allegation that the State’s COVID-19 vaccine scheduling website had been prematurely accessed. This resulted in nearly 20,000 appointments being scheduled at the State University of New York (SUNY) Stony Brook University vaccination site more than 24 hours before the website was scheduled to become public. Similarly, appointments were prematurely scheduled for State-operated sites in Binghamton, Buffalo, Plattsburgh, Potsdam, and Utica. Ultimately, more than 28,000 vaccine appointments were scheduled and then canceled due to the premature access by the public and questions about applicants’ eligibility to receive a vaccine.

The development of New York State’s vaccination scheduling website was a collaborative effort between DOH, ITS, and Health Research, Inc. (HRI). DOH’s already-established Vaccine Data System was employed to collect information from individuals seeking a vaccine and share it with the New York State Immunization Information System (NYSIIS) and the Citywide Immunization Registry (CIR). The Vaccine Data System was selected due to the many health care providers across the State already familiar with and successfully using the program, and its proven and effective ability to interface with NYSIIS. Notably, however, the Vaccine Data System had never been utilized for such a large-scale vaccination effort.

New York State contracted with Deloitte to create an eligibility screening tool to appear before the Vaccine Data System. To schedule an appointment at a State-operated vaccination site, a person first had to verify their eligibility to receive a vaccine by answering a series of questions within the screening tool. If determined to be eligible, the person was then permitted to schedule an appointment on the Vaccine Data System.

The Inspector General found no evidence that systems had been compromised by cyber criminals or that State employees or contractors who possessed advanced access to scheduling links leaked them to the public.

However, the Inspector General found several factors caused premature public access to the system:

• Due to a misunderstanding about a function of the program by most of the Vaccine Data System’s architects, programmers, and administrators, immediate and unintentional public access was given once a vaccination event was created in the system.
• The sequential numbering of links to vaccination scheduling websites created vulnerability. By altering the scheduling identification numbers in a known website address, an individual could discover a different vaccination scheduling website that had not yet been published. 
• Screening tool users were able to view the address of a vaccination scheduling website in their browser. Individuals were able to directly access those sites by simply copying and pasting the address into the address bar to schedule appointments, thereby bypassing the Screening tool.
• Websites created exclusively for training purposes were accessed and used by the public. Although these sites were clearly identified as training modules, they were used to sign up for appointments that did not exist.
• Once a link to a scheduling website had been identified by a user, it could be widely disseminated via social media and used by others. In minutes, an individual could simply copy and paste website links into text messages or emails and distribute them to individuals or groups of people. In fact, counties, school districts, union leaders, and religious communities distributed premature links through mass email distribution lists.

The Inspector General also found that pre-launch testing of the Vaccine Data System was insufficient, and once fully deployed, the system struggled to handle the high public demand.

The investigation found that the public were unaware they were prematurely using website links or that they were bypassing the required screening tool. However, even for those who bypassed the screening tool, the Vaccine Data System contained an eligibility attestation and proof of eligibility was required at vaccination sites.

Notably, the Inspector General found that staff of ITS, DOH, and HRI worked ceaselessly and competently to respond to the unprecedented demand for vaccination appointments and quickly implemented corrective actions when issues were discovered. The entities have made more than 100 improvements to the vaccine scheduling application, including security improvements, stronger firewalls, and a virtual waiting room to manage large online queues.

The issues found in this investigation were not unique to New York State, as nearly every state in America faced challenges involving vaccination administration and distribution, with issues reported as being largely related to technology, access, or supply limitations. Despite these challenges, as of October 13, 2021, the CDC reported that 404,371,247 vaccine doses had been administered in the United States, and 187.9 million people—more than 56.6 percent of the population of the United States—was fully vaccinated. Per CDC, 64.6 percent of the total population of New York was fully vaccinated, with 26,032,099 vaccine doses having been administered in New York State.

The findings are timely given the current expansion of vaccine eligibility to include booster shots and the anticipated deployment of vaccines for children ages five to 11. Therefore, the Inspector General recommends that ITS, DOH, and HRI take specific actions:

• Conduct routine testing of the screening tool and the Vaccine Data System
• Review testing protocols to ensure their functionality during disasters and emergencies
• Promulgate written guidance regarding the confidentiality of scheduling links
• Consider eliminating or minimizing website addresses in training modules and materials

“State employees worked tirelessly to get the vaccination registration program off the ground in record time and with outstanding results,” said acting Inspector General Robyn Adair. “However, several factors left open the possibility for members of the public to prematurely and unknowingly ‘jump the line.’ While DOH, ITS, HRI and others were able to curtail the vulnerabilities, our investigation identified ways to ensure that the State’s vaccination registration system is able to withstand ongoing efforts to fairly and efficiently get shots in the arms of all New Yorkers.”

The Inspector General’s report, Investigation of the New York State Department of Health COVID-19 Vaccination Scheduling Website, is online.