Hospitals, Health IT

Beaumont shuts down Covid-19 vaccination scheduling for nearly 24 hours after breach

An unknown user publicly shared a link to access Beaumont’s Epic-enabled vaccination scheduling services, which resulted in 2,700 people making unauthorized appointments for a Covid-19 vaccine. The Michigan-based health system had to shut down its vaccination scheduling services and cancel the appointments.

Beaumont Health shut down Covid-19 vaccination registration and scheduling services delivered via its Epic EHR system for close to 24 hours over the weekend, after detecting unusual activity.

On Saturday, a user took advantage of an Epic scheduling tool vulnerability and publicly shared a link to the scheduling module for the vaccination clinic. This allowed 2,700 people to register for an unauthorized vaccine appointment. The Southfield, Michigan-based health system is canceling all the appointments made using the link and notifying the individuals by email.

Sponsored Post

Physician Targeting Using Real-time Data: How PurpleLab’s Alerts Can Help

By leveraging real-time data that offers unprecedented insights into physician behavior and patient outcomes, companies can gain a competitive advantage with prescribers. PurpleLab®, a healthcare analytics platform with one of the largest medical and pharmaceutical claims databases in the United States, recently announced the launch of Alerts which translates complex information into actionable insights, empowering companies to identify the right physicians to target, determine the most effective marketing strategies and ultimately improve patient care.

“We regret 2,700 people in our community became victims of this unfortunate incident,” said Hans Keil, senior vice president and chief information officer at Beaumont Health, in a statement. “We remain committed to vaccinating as many people as possible who meet the state’s guidelines. We are also notifying the Michigan Hospital Association and other Michigan health systems about the issue.”

The health system suspects the user shared the link primarily via email or text as it has not seen the link posted on a social media platform, said Keil in an email to MedCity News. The health system has not identified the user, but its investigation is ongoing.

Beaumont is using its Epic EHR to set up vaccine appointments for those eligible. The health system is sending invitations to randomly selected, qualified patients in its database, who can then register and schedule their vaccination appointment through the EHR, Keil said.

“It is controlled, both to ensure we adhere to an ethical framework for vaccine distribution and [to] ensure our vaccine clinics can effectively manage in a socially distanced, orderly and safe manner,” he said.

The appointments made via the unauthorized link violate the distribution framework Beaumont created based on Michigan’s vaccine guidelines. These guidelines include creating priority groups for vaccine administration. Currently, the state is allowing healthcare workers, frontline essential workers, child care and school staff, long-term care residents and staff, and those over 65 years to get vaccinated.

After discovering the incident, Beaumont shut down vaccination registration and scheduling from 7:30 p.m. Saturday until 9 p.m. Sunday evening EST. During that time, the system’s IT team worked with Epic to close the unauthorized pathway to the scheduling module, said Keil.

“We are working with Beaumont to address this situation, but this will not interfere with those who are currently eligible to schedule an appointment and receive a vaccine,” said Epic in a statement online.

In addition, the incident did not compromise patients’ personal medical records, nor did it give outsiders access to hospital records.

Photo: marchmeena29, Getty Images