You may not see the risk in sharing an Instagram or Twitter
selfie, vaccination card in-hand, celebrating your inoculation against the novel coronavirus. But identity-theft experts and consumer advocates advise thinking twice before posting that information online.
“Any time you post personal information about yourself, you elevate your risk,” Eva Velasquez, the president and CEO of the Identity Theft Resource Center, told MarketWatch. “It’s not just about what’s on that card; it’s about what else is out there on you — and with the state of data breaches in this country, you can be sure there is information out there about you.”
Such warnings have particular relevance as more than a dozen states plan to expand vaccine eligibility to all adults this week. As of Wednesday, about 29% of the U.S. population had received at least one dose of COVID-19 vaccine, and 16% had been fully vaccinated, according to the Centers for Disease Control and Prevention.
A good alternative to posting your card online is simply a photo of you flashing a thumbs up, informing your friends or followers that you got the vaccine, said Carrie Kerskie, an identity-theft consultant, speaker and author based in Florida. You could also post a picture of your vaccination sticker. But nobody else needs to see that physical card, she said.
Details that may seem harmless
Vaccination cards issued as physical proof of immunization are not standardized, and some states and localities are issuing their own versions. But the widely used CDC-designed paper vaccination cards include fields for the person’s full name; date of birth; patient number; vaccine manufacturer and lot number; dates of vaccination; and the healthcare professional or clinic site involved in administering the vaccine.
While those details might seem harmless enough — after all, birthday information is already ubiquitous on sites like Facebook
— consumer agencies and organizations have cautioned that bad actors could leverage this information for identity-theft purposes, particularly if your account’s privacy settings are lax.
“Social media is no place for COVID-19 vaccination cards,” the Federal Trade Commission warned in February. “Once identity thieves have the pieces they need, they can use the information to open new accounts in your name, claim your tax refund for themselves, and engage in other identity theft.”
‘Nothing surprises me anymore’
When it comes to identity theft, “it’s all about putting together pieces of the puzzle” that is your digital identity, said Kerskie. “The more information a bad guy or an identity thief has about you, the greater chance of their success,” she told MarketWatch.
It’s true that some of the data on that card, like your name, is already publicly available, Velasquez added. But it also contains your date of birth, and potentially some health information. “It’s one of those things where, do you really want to take that chance?” she said. “I don’t want to be alarmist about it, but I also don’t think it’s as innocuous as most people think.”
After all, Velasquez said, a bad actor armed with knowledge about your vaccination status, the vaccine you received, and the region where you live could target you with a phone or email scam that leverages that small amount of information to gain your trust and “get you to part with additional information.” “I do think that’s a real concern,” she said.
A bad actor could target you with a phone or email scam that leverages that small amount of information to gain your trust.
Or, Kerskie suggested, a bad actor could reach out claiming the organization that administered your vaccine had a database breach and now wants to offer you free ID-monitoring services — and send you a link to input sensitive information. “This is kind of a stretch, but in the world that we’re in today, nothing surprises me anymore,” she said.
Legitimate organizations are always trying to find creative ways to validate an identity, Kerskie added, and information about when or where you received your COVID-19 vaccine could eventually become part of an identity-verification question.
“There are a lot of different things that could be done with it — so again, why give the bad guys more ammunition than they need?” she said.
With several versions of a so-called vaccine passport now in the works — and the recent launch of New York state’s digital Excelsior Pass platform — Velasquez also urged against using vaccine-passport apps or platforms whose legitimacy you can’t verify. Wait until there’s more information about the legitimate landscape of vaccine passports, she said, as this is currently a “moving target” that’s ripe for fraud.
Scammers are selling fake vaccination cards
A late-January news release by the Better Business Bureau cautioned that sharing vaccination-card photos could supply scammers with the information they need to create and sell forgeries. “Scammers in Great Britain were caught selling fake vaccination cards on eBay
and TikTok,” the Bureau said. “It’s only a matter of time before similar cons come to the United States and Canada.”
According to Velasquez, “that cat’s out of the bag.” “We are already seeing forgeries of vaccination cards for sale on the dark web,” she said.
A recent analysis by the cybersecurity company Check Point Software Technologies found examples of vaccination certificates “being manufactured, created and printed to order, ready to be used to enable people to board planes, cross borders or for any relevant activity that requires a person to give proof that they have been vaccinated.”
In one screenshot published in the report, a person was selling a fake CDC vaccination card for $150, and said they would accept bitcoin
‘The well-known limitation of HIPAA’
What about the Health Insurance Portability and Accountability Act (HIPAA), the federal healthcare privacy law? Nicolas Terry, the executive director of the Hall Center for Law and Health at Indiana University, told MarketWatch “there isn’t much of a legal angle” related to individuals posting their own vaccination cards online.
HIPAA shields protected health information, including vaccine records, from disclosure by a covered entity such as a doctor or hospital, Terry explained — but in this case, the disclosure is by the patient, not the covered entity. “What it does illustrate is the well-known limitation of HIPAA in that it doesn’t apply to health information circulating on, [for example], social media,” he said.
Still, Terry advised against posting vaccination cards due to the “surprising amount of information” that could aid in an identity-theft attempt, not to mention “the lack of sensitivity it shows with regard to those who are as yet unvaccinated.” While eligibility across the country is expanding, supply remains limited.
“People don’t stop and think what they’re doing,” Kerskie said. “‘Oh, I just want to share this with my friends.’ You’re not — you’re sharing it with the entire world.”