Secrets are already hard to keep on the internet, but when discreet information like “free for all” vaccine appointments gets published during a pandemic, the news spreads like wildfire.
That’s what happened last month, before vaccines were widely available, when links for the Covid-19-inoculating jabs that were open to anyone—regardless of their age, health complications or work status—through the Santa Clara County Health System began to circulate online and on social media.
The links were meant for populations hit hardest by Covid-19, but when county officials realized the appointments had become more common knowledge, they shut the webpages down. Some residents who stumbled upon a link and entered their information to reserve a vaccination appointment earlier in the month clicked the link again later to be greeted with an error and confusing responses from county workers.
That left some searching the web for answers, including taking to random message boards like Reddit to wonder whether their information had been lost to hackers or some other technical glitch.
San Jose resident Kevin Vermilion was one of many who uncovered a long list of times and dates open to all who clicked across several locations, including Berger Auditorium, Gilroy High School and Levi’s Stadium.
He entered his information, but decided to wait, knowing he wasn’t technically eligible for a jab.
When appointments opened to all residents 16 and older, he plugged in that same site, only to be greeted by error messages and a phone number to the “Valley Connections” customer service line.
After waiting on a long hold, Vermilion said a very stressed woman on the other end of the line informed him he had the same problem as every other caller: he plugged his birthdate, address, phone number and medical record number into a site they didn’t run.
“It definitely doesn't seem like the right response to tell people, ‘Well you've been giving your personal information to somebody that's not us,’” Vermilion said.
A county spokesperson told San Jose Inside this month that the signup was hosted by the county, geotagged for specific neighborhoods and meant for hard-hit and high-risk populations that the state and region were racing to inoculate.
None of that information was publicly listed on the website where residents could sign up for appointments, or in the error message that appeared later, however.
“There was no way for people—besides the first person who shared it—to really know that that was the origin of the link, if that was the case,” Vermilion said. “I certainly had no idea, so I’m not surprised that after it leaked out it just spread like crazy.”
Phone operators still seemed unaware of what had happened earlier this month, as some were still informing callers that the county’s now-discontinued sites were hijacked to schedule appointments, but a county investigation says otherwise.
“Any data entered into the site remains protected through the County’s systems,” a county spokesperson said. “There was no penetration or infiltration of the County’s data or computer system; the inappropriately shared link bypassed the County’s eligibility screening but did not otherwise modify the scheduling process.”
Metadata of the county’s subdomain sites show they were updated February 25—the same day eligibility for vaccines expanded to include unhoused people in shelters and encampments in Santa Clara County.
Websites tracking web traffic reported that while the standard sccgov.com page has several subdomains, the “stgensccweb” site—one of the misused appointment links posted in several iterations online—accounted for 5.43% of visitors.
County officials said they did not know how many appointments were scheduled using those links, or how many of those appointments were honored.
Vulnerable communities are still lagging when it comes to vaccinations as of this month, when white residents were disproportionately more likely to schedule an appointment to be vaccinated. Latinos in Santa Clara County, meanwhile, have received about 14% of vaccinations, despite accounting for about 25% of the county population and 50% of Covid-19 cases.
Vermilion wonders if the sites could have stayed active if messaging from Santa Clara County officials was more clear about access and intention from the jump.
“I think having a more informative error message would have solved the problem all together,” Vermilion said. “And it probably would have taken the pressure off the people answering the phones, too.”
These backdoor links were being widely shared on NextDoor and Facebook. I was part of a group that was helping people find appointments when vaccine doses were still scare, and we were begging people not to use these links. Multiple people told to the county that these links were being abused, but it took the county, I don’t remember know, a couple of weeks at least to shut them down.
IMO the county was just stupid to think that the links wouldn’t be widely shared.
Privacy is a huge concern.
CVS sent my information to a doctor in Southern California whom I have never met. I have written to CVS three times to object with no response. I did not sign the release. This violate HIPAA.
My GP did not receive the information.
And, where does the 25% COVID treatment premium go?