Bloomberg Law
Jan. 7, 2022, 9:00 AM

How Private Is Your Digital Vaccine Record?

Sandy B. Garfinkel
Sandy B. Garfinkel
Eckert Seamans Cherin & Mellott LLC
Emma M. Lombard
Emma M. Lombard
Eckert Seamans Cherin & Mellott LLC

The rise in vaccination requirements among several states and cities has led many individuals to store copies of their Covid-19 vaccination cards on their phones. Others have authenticated their vaccine cards using “vaccine passports” or other similar apps.

Mobile phones are ubiquitous, and we already use them for many purposes that involve sensitive information about ourselves. With mobile phones, users can quickly provide their inoculation status to enter restaurants, events, and other venues requiring proof of vaccination.

However, mobile device users should beware—by making their personal Covid-related health data, including vaccine passports and test results, “easily accessible” to themselves, they could also unknowingly make it easily accessible to others.

Personal Data on Your Vaccine Card

Unfortunately, vaccine cards are designed to include personally identifiable healthcare information. The CDC’s vaccination card form prompts vaccine providers to include the vaccine recipient’s date of birth on the card.

States like Washington and North Dakota consider an individual’s date of birth, on its own, to be personally identifiable information (PII). Under HIPAA, when an individual’s date of birth is linked to other healthcare information, it is considered personally identifiable information. A date of birth can be used for fraud or identity theft when combined with the individual’s name and other personal information.

The Risks

If you are simply carrying a photographic image of your vaccine card in your phone, phones can be, and regularly are, hacked. Or, the owner of the phone may simply have inadequate protection from unauthorized access.

If your mobile device automatically connects to WiFi, your device will usually connect to the strongest signal, which may seem legitimate, but could actually be a WiFi signal operated by someone attempting to gain access to your device. Attackers can also connect to your device over a Bluetooth connection and install malicious software or steal your data, including your login credentials or other private information.

If you are using an app created explicitly for vaccine card authentication (commonly referred to as “vaccine passports”), you should still proceed with caution. Some “vaccine passport” programs connect to state-maintained databases for vaccine information. These apps have encountered security flaws.

In New Jersey, Utah, and Minnesota, vaccine status was kept in a state-maintained database. Individuals could request QR codes to reveal their vaccination card data when needed. It was soon discovered that individuals could request QR codes for people other than themselves, allowing them to access someone else’s vaccine card data.

Although some apps are state-maintained, others are developed and maintained by third parties with varying security policies and procedures. Some apps keep the vaccine data stored in your phone, while others keep it in the cloud. Both approaches have potential security concerns.

As an app user, you won’t typically know what security measures the app developer has put in place over cloud-maintained data. Some vaccine passport apps like Clear include a photograph of the individual’s face, which is not biometric data per se but could be used as one “piece of the puzzle” by someone trying to assemble enough information to steal your identity.

In other instances, you may have allowed an app to access your vaccination card image without realizing it. For example, social media apps like Instagram, Twitter, Snapchat, TikTok, and Pinterest seek your permission to access your photo gallery, leading to you inadvertently giving these apps access to an image of your vaccine card.

One social media trend involves people uploading photos of their vaccine card to their Instagram “Stories” or TikTok accounts to show their followers that they are vaccinated. Unfortunately, they may forget to obscure their name and date of birth in the photo, opening the door to potential consequences.

As a practical matter, some businesses will not even accept electronic proof of vaccination and will require the actual vaccination card. Carrying an electronic copy in your phone is a security risk without any value in those instances. Whether states will accept proof of vaccination via app or electronically stored copies varies from state to state—currently, there’s no universally accepted type of proof.

Ways to Safeguard Your Personal Data

There are ways you can safeguard your personal information while still complying with the mandates in your area, however. If you are required to provide your original vaccine card, you should make a copy of it to keep at home, rather than storing a photo of it on your mobile device.

If you are allowed to provide a copy of your vaccine card, you should consider making a hard copy of it rather than using a photo stored on your phone. If you are required to use an app, you should read the terms and conditions of the app before uploading your personal information to understand how your data could be used or shared.

No matter which method you choose, if you carry a copy of your vaccine card on your mobile device in any manner, you should carefully monitor and adjust your phone’s WiFi and Bluetooth settings, as well as your app permissions, to limit the risk of unauthorized access.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Write for Us: Author Guidelines

Author Information

Sandy B. Garfinkel is an attorney at Eckert Seamans Cherin & Mellott LLC based in Pittsburgh and serves as the Chair of the firm’s Data Security & Privacy Practice group.

Emma M. Lombard is an associate at the firm and a member of the Data Security & Privacy Practice group.