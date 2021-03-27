Director General of Health Dr Ashley Bloomfield says despite over a thousand people trained to give Covid-19 shots, less than half of those are required at the moment.

Canterbury District Health Board (CDHB) has apologised for a software coding error which allowed people to see other patients’ private information when they booked a Covid-19 vaccination appointment.

The error meant the details of 716 individuals who had registered were potentially able to be viewed.

The details included name, gender, age, and NHI number, but no personal health information.

In a statement, the Ministry of Health (MoH) said the system was taken down on Friday night and an investigation is now under way which will provide more detailed information.

But National’s Covid response spokesperson said the matter was “far worse than the Ministry has publicly admitted to”.

Dr Ashley Bloomfield, director-general of health, said the mistake was “very unfortunate” and immediate steps were taken to address the issue.

“All health services take the privacy of individuals very seriously,” he said.

“The DHB will be contacting those affected, apologising directly and informing them of the actions now being taken.”

At this stage, the issue is limited to CDHB and to household members of frontline border workers invited to make appointments to be vaccinated.

Both the ministry and CDHB have thanked a member of the public “with strong technical skills” for the prompt alert after detecting a security vulnerability in the code.

There is no evidence of any malicious breach.

National’s spokesman for Covid-19 response Chris Bishop said via Twitter that he had been contacted on Friday night “by two individuals who told me they had raised with the Minister of Health and the MoH earlier that evening that there was a potential data privacy breach within the booking system being used for household contacts to book their Covid-19 vaccination”.

“People accessing the system were able to pull the national health numbers of people, their cell phone numbers, emails and dates of birth. I immediately alerted Covid-19 Response Minister Chris Hipkins”.

He said the Ministry of Health described the issue as a ‘coding error’ affecting just the Canterbury DHB, “but the situation is far worse than the Ministry has publicly admitted to”.

“My understanding from talking to the people who raised the initial alarm is that the system was so poorly designed that people could log in, pretend to be a vaccinator, alter patient records (such as marking people as having been vaccinated), change their appointment times,” Bishop said.

A spokeswoman said CDHB had no further comment to make at this stage.

A national booking system is currently being developed and will be available in May.

Individuals with questions or concerns about the booking system coding error should in the first instance ring Healthline on 0800 358 5453.