Americans are afraid their vaccine passports could get hacked

Some are calling for broad digital privacy legislation to ensure health information is kept safe.

By RUTH READER | Fast Company | July 29, 2021

Efforts to get Americans to adopt digital vaccine proof have been slow. A new Harris Poll reveals that 80% of Americans are worried that getting a COVID-19 digital passport could put their personal data at risk.

Among the majority of Americans who have cybersecurity concerns about the new digital vaccine credentials, the survey found that slightly more than half were uneasy about the potential for identity theft. On top of that, less than half of Americans believe that either businesses or the government are prepared to defend passport apps against a potential cyber attack.

The overall disquiet about digital vaccine systems aligns with how likely Americans are to actually get a digital vaccination card. Only 68% of Americans say they are likely to sign up for one, according to a recent Harris Poll conducted in collaboration with cybersecurity platform Anomali. Just 45% say they were very likely to use a digital vaccination certification.

Most states and the federal government have stopped short of requiring their employees to get vaccinated. Only San Francisco has so far issued a vaccination directive for city employees. Both New York State and California are telling workers to get vaccinated or else face weekly COVID-19 testing. President Biden has now made a similar mandate for federal workers. Meanwhile, Veterans Affairs is planning to make COVID-19 vaccination mandatory for frontline health workers.

With less than 50% of people in the U.S. vaccinated, according to CDC data, digital vaccine credentials have the potential to play an important tool in preventing disease spread. With proper standardization, such credentials may be less susceptible to fraud than the paper cards. However, without consistent adoption and strict rules, digital vaccine credentials may not live up to their promise.


In April, the White House decided against developing a federal digital vaccine standard. While some states have banned or proposed bans on so-called vaccine passports, others have launched their own, such as New York’s Excelsior Pass, which launched in March. Roughly 12 million New Yorkers have received both doses of the vaccine and about 2 million have downloaded the app. Meanwhile, only 1.55 million Californians out of the more than 21 million who have been vaccinated have downloaded their digital record since the app went live on June 18. There are also private options: Clear’s Health Pass and the Common Pass, which is run by The Commons Project Foundation. IBM makes a Digital Health Pass for business, which is also the framework that New York State is using). Still, the most widely available form of vaccine proof remains remains paper cards.

A coalition that includes Apple, the Mayo Clinic, Microsoft, the CARIN Alliance, University of California San Diego Health, and the Commons Project Foundation has built a secure standard for digital vaccine credentialing called the the Vaccine Credential Initiative that hopes to garner wide adoption. The organization’s digital health record turns test results and vaccine status into a QR code that can be scanned at airports and other venues that accept it. So far, the VCI’s Smart health card has gotten buy-in from a long list of health systems as well as Walmart, CVS, and electronic health record giants Epic and Cerner.


Researchers at the Brookings Institute, a think-tank in D.C., say part of the problem is the federal government lacks comprehensive digital privacy legislation. While medical information retained by a health system is protected under the Health Insurance Portability and Accountability Act (HIPAA), health information inside of other apps is not similarly secured. “Moreover, it is unclear whether CVS, Walgreens, and other clinics—which are storing vaccination data for millions of Americans—have the same legal responsibility as medical providers to protect [personal health information],” write Brookings’ researchers.

In their argument, they call for regulations that prevent companies from selling or mishandling personal information. Without specific laws addressing digital privacy, they say, Americans are at risk. In order for Americans to start feeling more at ease about using a digital vaccine credential, Congress may have to act. Broad digital privacy laws may not come soon enough.

Even in the case of the VCI’s Smart health card, JP Pollak, cofounder and chief architect at The Common’s Project, says that entities issuing the credential and credential verifiers are ultimately responsible for ensuring that an individual’s health data is secured or deleted after it’s been verified. The VCI created a verification app for venues that simplifies that process. It also has an open-source framework for companies who want to develop their own proprietary apps. However, Pollak acknowledges, venues are not obligated to secure anyone’s personal health data.

While adoption of digital vaccine credentials remains relatively low, Pollak thinks we’ve reached a turning point. “I think the rise of Delta variant coinciding with a time period where there’s lots of vaccinated people who are ready to get out and start doing things has forced us into a place where there is a greatly increased demand to be able to verify people’s vaccination status,” he says. He believes that the real incentive to adopt a digital credential will come when people are ready to travel. The Common’s Pass is currently being used as a means of vaccine verification for U.S. visitors to Hawaii and Aruba.

“It’s the way to get exempt from quarantine or testing if you’ve got vaccine passes,” he says. “So we’ve seen quite a bit of demand for that.”

Read the full story at Fast Company.