Bug in app used by Utahns, others to store vaccination records expose personal information


SALT LAKE CITY (ABC4) – Users of Docket, an app available for Utah and New Jersey residents to store their COVID-19 vaccine information, fell victim to a bug that made their immunization records accessible to everyone.

The Utah Department of Health, along with New Jersey officials, have approved the Docket mobile phone app for storing and accessing immunization records. Through the file, UDOH explains, users can view past immunization reports, track upcoming injections, and share official immunization reports.

Earlier this week, TechCrunch Reports they found a bug in the app that allowed anyone to access the scannable QR codes of other vaccinated users, with all personal and vaccine information inside. Docket allows users to share their immunization records via QR code to access events, restaurants or other places requiring the COVID-19 vaccine.

With the bug, Docket allowed anyone to access a person’s names, dates of birth and COVID-19 vaccination status information, according to TechCrunch. After the outlet reported the bug to Dockett, they reported that the bug was fixed at the server level shortly thereafter. Docket chief executive Michael Perretta told TechCrunch that the company is examining its logs to determine if there has been malicious activity.

Docket has yet to return ABC4’s request for comment. A tweet posted to their Twitter account late Wednesday night said the platform “has been working hard to eliminate the bugs.”

Tom Hudachko, Director of Communications with UDOH shared the following statement with ABC4:

The Utah Department of Health is committed to ensuring the privacy of Utah residents and expects its contractors and partners to maintain the same commitment. Docket informed us earlier this week of a bug in its system that could potentially allow users to access the personal information of other users. Docket assured us that they identified the cause of the bug and fixed it.

We work with Docket and our own data security teams to identify any users whose information may have been shared inappropriately and provide appropriate notification to those individuals.

The Docket app has undergone a thorough security review by the Centers for Medicare and Medicaid Services and the Office of the National Coordinator of Health Information Technology.

Hudachko says they only found one user whose records were inappropriately viewed. The number of Utahns using the app was not immediately available.


Comments are closed.