Cybersecurity Risks and Your Vaccine: What Americans Need to Know

April 23, 2021

It’s been a little over a year since COVID-19 arrived in the United States, and vaccines are finally rolling out. Most states are vaccinating people in “groups,” determined by factors such as age, pre-existing conditions/risk factors, and employment type among other things. President Biden has stated that he expects all adults (18 years and older) to be eligible to receive a vaccine by May 1.

Many people are excited and eager to get vaccinated and move one step closer to the return to normalcy. After getting vaccinated, you receive a vaccine card from the CDC with information such as your name, birthday, which vaccine was administered, and sometimes other health information. This little white piece of paper is actually an important document for people to keep, the CDC says. It’s likely these cards, serving as proof of vaccination, will be required for travel in the future.

Posting a selfie with a vaccine card has become synonymous with posting a selfie with a “I voted” sticker. But many experts are warning people not to post a selfie with their vaccine cards because of cybersecurity risks.

It has become a trend after getting vaccinated to share a selfie with the vaccine card on social media. Many people are praising this public sharing as a way to normalize getting vaccinated and encourage others to do the same. Posting a selfie with a vaccine card has become synonymous with posting a selfie with a “I voted” sticker. But many experts are warning people not to post a selfie with their vaccine cards because of cybersecurity risks.

Vaccine cards contain private, sensitive information like your full name and birthday. The biggest concern here is this information, in conjunction with a person’s digital footprint, leaves them vulnerable to identity theft. The information on vaccine cards gives criminals another “piece[] of the puzzle,” in collecting information to commit fraud like opening an account or filing taxes in your name.

Identity theft is not the only risk with posting the cards; in Great Britain, people were caught selling counterfeit vaccine cards on eBay and Tik Tok. Posting cards makes it easier for people to forge them. It is possible that people will eventually be required to show a “vaccine passport” to engage in travel in other activities. The European Union has already proposed a digital vaccine passport, which would allow people to show proof that they are vaccinated, received a negative test, or have the COVID-19 antibodies. IBM is creating a “Digital Health Pass” which they say will “provide organizations with a smart way to bring people back to a physical location.” But the Identity Theft Resource Center warns that “[t]here are no current programs in the U.S. that use or require a vaccine passport,” so people should be wary that any messages or apps about a vaccine passport are a scam. Another issue with vaccine passports or health apps in general, if they do eventually become commonplace, is that people may not want to share their health information with companies. Since COVID and the rise of telehealth and contract tracing, we are likely to face “an increased risk of data privacy and data breach class actions related to health and other personal data.” These same risks are present if we ultimately decide to enforce a digital vaccine passport.

Another concern is that vaccine scheduling is commonly being done through apps, emails, and text messages. For example, North Carolina residents can sign up for a waitlist through their specific counties. Then when it is their turn to get a vaccine, they may get a call, email, or text notification to schedule an appointment. By text or email, that notification will have a link to the website for them to make the appointment online. But the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) is advising people not to click on links or give personal information over the phone or internet without first verifying the source. People can hover over links to see what address they lead to or re-type the link into their search engine to check that it is legitimate.

With the Pfizer and Moderna vaccines, upon first vaccination, NC residents will likely get an email or text notification to set up a second appointment. This carries the same risks as the first notifications, but it likely seems more legitimate because it shows awareness that the person already got their first vaccine. Especially if the person posted their vaccine card, any hacker could fake a text and make it seem even more legitimate with access to the information from the vaccine card.

The CDC has identified common COVID-19-related phone scams and phishing attacks. There is software available that allows scammers to make a call that will appear to come from any phone number. Criminals can impersonate government officials and ask for personal information. Cyber criminals are also capitalizing on the pandemic to send fake emails appearing to come from the CDC or another health organization. For example, they could send an email that appeared to be from the CDC with a link that says “sign up for your COVID-19 vaccine here!” but the link is actually a virus, or the link asks for personal information before “signing up.” The FTC, DOJ, and CISA have all released information about common COVID-19-related scams to be aware of and how to best protect yourself against those cybercrimes.

While it is an exciting time for Americans as we inch closer to the end of the pandemic, it is also important that we do not let our guards down when it comes to these cybersecurity risks.

Margaret Daly