Beaumont Health shut down Covid-19 vaccination registration and scheduling services delivered via its Epic EHR system for close to 24 hours over the weekend, after detecting unusual activity.
On Saturday, a user took advantage of an Epic scheduling tool vulnerability and publicly shared a link to the scheduling module for the vaccination clinic. This allowed 2,700 people to register for an unauthorized vaccine appointment. The Southfield, Michigan-based health system is canceling all the appointments made using the link and notifying the individuals by email.
“We regret 2,700 people in our community became victims of this unfortunate incident,” said Hans Keil, senior vice president and chief information officer at Beaumont Health, in a statement. “We remain committed to vaccinating as many people as possible who meet the state’s guidelines. We are also notifying the Michigan Hospital Association and other Michigan health systems about the issue.”
The health system suspects the user shared the link primarily via email or text as it has not seen the link posted on a social media platform, said Keil in an email to MedCity News. The health system has not identified the user, but its investigation is ongoing.
Beaumont is using its Epic EHR to set up vaccine appointments for those eligible. The health system is sending invitations to randomly selected, qualified patients in its database, who can then register and schedule their vaccination appointment through the EHR, Keil said.
“It is controlled, both to ensure we adhere to an ethical framework for vaccine distribution and [to] ensure our vaccine clinics can effectively manage in a socially distanced, orderly and safe manner,” he said.
The appointments made via the unauthorized link violate the distribution framework Beaumont created based on Michigan’s vaccine guidelines. These guidelines include creating priority groups for vaccine administration. Currently, the state is allowing healthcare workers, frontline essential workers, child care and school staff, long-term care residents and staff, and those over 65 years to get vaccinated.
After discovering the incident, Beaumont shut down vaccination registration and scheduling from 7:30 p.m. Saturday until 9 p.m. Sunday evening EST. During that time, the system’s IT team worked with Epic to close the unauthorized pathway to the scheduling module, said Keil.
“We are working with Beaumont to address this situation, but this will not interfere with those who are currently eligible to schedule an appointment and receive a vaccine,” said Epic in a statement online.
In addition, the incident did not compromise patients’ personal medical records, nor did it give outsiders access to hospital records.
Photo: marchmeena29, Getty Images