Readers of PoPville report:
“Just applied for the new DC digital SMART Health Card and was sent someone else’s vaccine record?! Hopefully you’re not sending my vaccine card to other random people??”
and
“Received notification from DCHealth about digital vaccine record. Went to the site and signed up using DOB; PIN; and first and last name. Received a vaccine record for someone ELSE. This is a huge issue that needs to be fixed ASAP. I am not Ronald”
Read more at Popville. I’m not sure why the report says “DVR is HIPPA-compliant and records are only available to authorized users.” Apart from the fact that it is “HIPAA” and not “HIPPA,” where do they get the idea that the system is HIPAA-compliant or that any agency has formally approved it for security and privacy rules compliance?
DataBreaches.net emailed the D.C. Department of Health to ask about the claimed data leak/misconfiguration but no reply was forthcoming. DataBreaches.net also tweeted to PoPville to ask them where they got the claim about HIPAA compliance. They, too, did not reply.
Related: vaccinerecord.dc.gov