NEW YORK — Unintentional factors led to the scheduling website being prematurely available to New York State public in January, according to an investigation by the Offices of the New York State Inspector General on Thursday.
The Office of Information Technology Services (ITS) referred an allegation to the Inspector General that the New York State Department of Health's (DOH) vaccine scheduling site had been accessed early by the public.
The investigation found that 8,000 appointments were prematurely scheduled at state-operated sites including Buffalo, Binghamton, Plattsburgh, Potsdam, and Utica. Almost 20,000 appointments were scheduled at at the State University of New York (SUNY) Stony Brook University vaccination site. These appointments were made more than 24 hours before the website was supposed to become public.
The website was created in collaboration with DOH, ITS and Health Research, Inc. The state contracted Deloitte to create a screening tool to determine eligibility.
The investigation did not find that the system had been compromised or that State employees or contractors had leaked the links to the public.
There were several factors that allowed for the public to access the site early, according to the study:
- Due to a misunderstanding about a function of the program by most of the Vaccine Data System’s architects, programmers, and administrators, immediate and unintentional public access was given once a vaccination event was created in the system.
- The sequential numbering of links to vaccination scheduling websites created vulnerability. By altering the scheduling identification numbers in a known website address, an individual could discover a different vaccination scheduling website that had not yet been published.
- Screening tool users were able to view the address of a vaccination scheduling website in their browser. Individuals were able to directly access those sites by simply copying and pasting the address into the address bar to schedule appointments, thereby bypassing the Screening tool.
- Websites created exclusively for training purposes were accessed and used by the public. Although these sites were clearly identified as training modules, they were used to sign up for appointments that did not exist.
- Once a link to a scheduling website had been identified by a user, it could be widely disseminated via social media and used by others. In minutes, an individual could simply copy and paste website links into text messages or emails and distribute them to individuals or groups of people. In fact, counties, school districts, union leaders, and religious communities distributed premature links through mass email distribution lists.
The Inspector General did find that Vaccine Data System was not able to handle the high demand. The system was used to collect information from people who wanted to receive the vaccine.
The public was unaware they were accessing the site prematurely or bypassing the screening tool, according to the investigation. However, data was still collected through the Vaccine Data System and proof of eligibility was required at vaccination locations.