Health system flags vulnerability in Epic COVID-19 vaccine scheduler

The pathway discovered at Michigan-based Beaumont Health allowed users to "cut in line" to schedule unauthorized appointments and circumvent current state mandates.
By Kat Jercich
11:29 AM
Epic logo at a booth

This story has been updated to include a comment from an Epic spokesperson.

Michigan-based Beaumont Health detected "unusual activity" on Saturday related to the online COVID-19 vaccine scheduling available through its Epic electronic health record system.

According to a press release shared on the system's website, a user took advantage of a vulnerability in Epic's scheduling tool, allowing for 2,700 people to "cut in line" and register for an unauthorized vaccine appointment. Those appointments have now been canceled.

"These appointments violate the ethical distribution framework Beaumont created based upon the State of Michigan’s mandatory vaccine guidelines," said Beaumont Health Chief Information Officer Hans Keil in a statement. "We regret that 2,700 people in our community became victims of this unfortunate incident."


According to a statement from Epic, the issue occurred when a scheduling pathway "intended only for direct recipients" was shared by unauthorized members of the public.

"We are working with Beaumont to address this situation, but this will not interfere with those who are currently eligible to schedule an appointment and receive a vaccine," read the statement.

Epic did not respond to requests for comment by press time about whether similar vulnerabilities could be exploited in other health systems using its vaccine scheduler.

"As health systems expand their vaccination programs to align with prioritization by state and local public health authorities, we’re helping them choose the tools in Epic that fit their needs and that will provide the best way to reach those priority groups. These include 'ticket scheduling,' where individual patients who meet the criteria receive an invitation to schedule a vaccination appointment, and 'open scheduling,' which opens the schedule to the broader community," said a spokesperson for Epic after initial publication. The spokesperson noted that Beaumont had been using the latter.

"Health systems that use open scheduling use other methods to verify eligibility, like having people attest to meeting the eligibility criteria such as age or occupation," the spokesperson added.

Beaumont stressed that the incident had neither led to any outside access to medical records nor compromised any individual's medical information.

"The pathway simply allowed users to schedule an unauthorized appointment that circumvented the current Michigan mandates," said the press release.


Epic has been preparing its systems to assist clients with the COVID-19 vaccine rollout since late last year, along with other EHR giants such as Cerner and athenahealth. 

The vendor also announced this past month that it would team up with other heavy-hitters to help aid in coordination and record-keeping with regard to the vaccine.

At the same time, cybersecurity experts have pointed to potential concerns around the rollout, noting that heightened demand could exacerbate existing vulnerabilities presented by the COVID-19 crisis.

"Companies have had to quickly navigate the changes brought about by social distancing guidelines and adapt to remote working environments, with cybersecurity looming as an afterthought. With more information being shared across devices and services, businesses must double down on data protection and security to protect against these emergent risks," read one report released in December.


"We remain committed to vaccinating as many people as possible who meet the State’s guidelines," said Keil. "We are also notifying the Michigan Hospital Association and other Michigan health systems about the issue."


Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

More regional news

A programmer using a computer.

(Photo by skynesher/GettyImages)

Tift Regional Medical Center sepsis IT

The new Tift Regional Medical Center expansion will open in the fall of 2021 in Tifton, Georgia. The 263,000-square-foot, four-story tower will include a new emergency center, inpatient units and new ICU. (Credit: Tift Regional Medical Center)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.