NYS completes investigation into premature availability of COVID-19 vaccine appointments in January

Posted at 12:55 PM, Oct 14, 2021

NEW YORK (WKBW) — The Offices of the New York State Inspector General announced the completion and findings of its investigation into the New York State Department of Health COVID-19 vaccination scheduling website.

According to a release, in January the Office of Information Technology Services (ITS) referred to the Inspector General an allegation that the NYSDOH COVID-19 vaccine scheduling website had been prematurely accessed.

The Inspector General said the investigation found a "myriad unintentional factors" led to the website going public prematurely and led to more than 28,000 appointments made by members of the public across the state.

  • Due to a misunderstanding about a function of the program by most of the Vaccine Data System’s architects, programmers, and administrators, immediate and unintentional public access was given once a vaccination event was created in the system.
  • The sequential numbering of links to vaccination scheduling websites created vulnerability. By altering the scheduling identification numbers in a known website address, an individual could discover a different vaccination scheduling website that had not yet been published. 
  • Screening tool users were able to view the address of a vaccination scheduling website in their browser. Individuals were able to directly access those sites by simply copying and pasting the address into the address bar to schedule appointments, thereby bypassing the Screening tool.
  • Websites created exclusively for training purposes were accessed and used by the public. Although these sites were clearly identified as training modules, they were used to sign up for appointments that did not exist.
  • Once a link to a scheduling website had been identified by a user, it could be widely disseminated via social media and used by others. In minutes, an individual could simply copy and paste website links into text messages or emails and distribute them to individuals or groups of people. In fact, counties, school districts, union leaders, and religious communities distributed premature links through mass email distribution lists.

The appointments that were made were canceled due to the premature access and questions about the applicants’ eligibility to receive a vaccine. No evidence was found that the systems were compromised by cyber criminals or that NYS employees or contractors with access to scheduling links leaked them.

State employees worked tirelessly to get the vaccination registration program off the ground in record time and with outstanding results. However, several factors left open the possibility for members of the public to prematurely and unknowingly ‘jump the line.’ While DOH, ITS, HRI and others were able to curtail the vulnerabilities, our investigation identified ways to ensure that the State’s vaccination registration system is able to withstand ongoing efforts to fairly and efficiently get shots in the arms of all New Yorkers.
- acting Inspector General Robyn Adair