Michigan-based Beaumont Health detected “unusual activity” on Saturday related to the online COVID-19 vaccine scheduling available through its Epic electronic health record system.
According to a press release shared on the system’s website, a user took advantage of a vulnerability in Epic’s scheduling tool, allowing for 2,700 people to “cut in line” and register for an unauthorized vaccine appointment. Those appointments have now been canceled.
“These appointments violate the ethical distribution framework Beaumont created based upon the State of Michigan’s mandatory vaccine guidelines,” said Beaumont Health Chief Information Officer Hans Keil in a statement. “We regret that 2,700 people in our community became victims of this unfortunate incident.”
WHY IT MATTERS
According to a statement from Epic, the issue occurred when a scheduling pathway “intended only for direct recipients” was shared by unauthorized members of the public.
“We are working with Beaumont to address this situation, but this will not interfere with those who are currently eligible to schedule an appointment and receive a vaccine,” read the statement.
Epic did not respond to requests for comment by press time about whether similar vulnerabilities could be exploited in other health systems using its vaccine scheduler.
Beaumont stressed that the incident had neither led to any outside access to medical records nor compromised any individual’s medical information.
“The pathway simply allowed users to schedule an unauthorized appointment that circumvented the current Michigan mandates,” said the press release.
THE LARGER TREND
Epic has been preparing its systems to assist clients with the COVID-19 vaccine rollout since late last year, along with other EHR giants such as Cerner and athenahealth.
The vendor also announced this past month that it would team up with other heavy-hitters to help aid in coordination and record-keeping with regard to the vaccine.
At the same time, cybersecurity experts have pointed to potential concerns around the rollout, noting that heightened demand could exacerbate existing vulnerabilities presented by the COVID-19 crisis.
“Companies have had to quickly navigate the changes brought about by social distancing guidelines and adapt to remote working environments, with cybersecurity looming as an afterthought. With more information being shared across devices and services, businesses must double down on data protection and security to protect against these emergent risks,” read one report released in December.
ON THE RECORD
“We remain committed to vaccinating as many people as possible who meet the State’s guidelines,” said Keil. “We are also notifying the Michigan Hospital Association and other Michigan health systems about the issue.”