You may not see the risk by sharing Instagram or Twitter
Selfie, vaccination card in hand, celebrates your vaccination against the novel coronavirus. However, identity theft experts and consumer advocates advise thinking twice before posting this information online.
"Every time you post personal information about yourself, you increase your risk," Eva Velasquez, president and CEO of Identity Theft Resource Center, told MarketWatch. "It's not just about what's on this card. It's about what else is in store for you – and with the level of data breaches in this country, you can be sure that there is information about you."
Such warnings are of particular concern as more than a dozen states plan to extend vaccination eligibility to all adults this week. By Wednesday, about 29% of the US population had received at least one dose of COVID-19 vaccine, and 16% had been fully vaccinated, according to the Centers for Disease Control and Prevention.
A great alternative to posting your card online is to simply have a photo flashing a thumbs up and letting your friends or followers know that you received the vaccine, said Carrie Kerskie, a Florida-based consultant, speaker and author for Identity theft. You can also post a picture of your vaccination sticker. But no one else needs to see this physical map, she said.
Details that can seem harmless
Vaccination cards, which are issued as physical evidence of vaccination, are not standardized, and some states and localities issue their own versions. However, the widely used CDC-designed paper vaccination cards contain fields for the person's full name. Date of birth; Patient number; Vaccine manufacturer and batch number; Vaccination dates; and the healthcare professional or clinic involved in administering the vaccine.
While these details may seem innocuous enough, birthday information is already ubiquitous on sites like Facebook
– Consumer agencies and organizations have warned that bad actors could use this information for identity theft purposes, especially if your account's privacy settings are lax.
"Social media is no place for COVID-19 vaccination cards," the Federal Trade Commission warned in February. "Once identity thieves have the parts they need, they can use the information to open new accounts on your behalf, claim your tax refund for themselves, and engage in other identity thefts."
"Nothing surprises me anymore"
When it comes to identity theft, "it's about putting pieces of the puzzle together," that's your digital identity, Kerskie said. "The more information a villain or identity thief has about you, the greater the chance of your success," she told MarketWatch.
It is true that some of the data on this card, like your name, is already publicly available, Velasquez added. But it also includes your date of birth and possibly some health information. "It's one of those things, where do you really want to take this chance?" She said. "I don't want to be alarming, but I don't think it's as harmless as most people think either."
Finally, Velasquez said, a bad actor who, with knowledge of your vaccination status, the vaccine you received, and the region you live in, might approach you with a phone or email scam that is this little one Uses a lot of information to gain your trust and "Make you disconnect from additional information." “I think that's a real problem,” she said.
A bad actor could approach you with a phone or email scam that uses this small amount of information to gain your trust.
Or, according to Kerskie, a bad actor could claim that the organization that gave your vaccine had a database breach and now they want to offer you free ID monitoring services – and send you a link to enter confidential information. "It's kind of a track, but nothing surprises me in the world we are in today," she said.
Legitimate organizations are always trying to find creative ways to validate an identity, Kerskie added, and information about when or where you got your COVID-19 vaccine could eventually become part of an identity verification question.
"There are a lot of different things that could be done with it. So why give the bad guys more ammunition than they need?" She said.
With multiple versions of a so-called vaccination pass in the works, and with New York State's Excelsior Pass digital platform recently launched, Velasquez also urged the use of vaccination pass apps or platforms whose legitimacy you cannot verify. Wait for more information on the legitimate vaccination passport landscape, she said, as this is currently a "moving target" ripe for fraud.
Scammers sell fake vaccination cards
A press release from the Better Business Bureau in late January indicated that sharing vaccination card photos could provide scammers with the information they need to create and sell counterfeits. “Scammers in the UK have been caught selling counterfeit vaccination cards on eBay
and TikTok, ”said the office. "It is only a matter of time before similar disadvantages hit the US and Canada."
According to Velasquez, "this cat is out of the bag." "We are already seeing counterfeit vaccination cards for sale on the dark internet," she said.
A recent analysis by cybersecurity firm Check Point Software Technologies found examples of vaccination certificates that are “made, created, and printed to order, ready to allow people to board airplanes, cross-border or relevant activities that are required of an individual to provide evidence that they were vaccinated. "
In a screenshot posted in the report, a person sold a counterfeit CDC vaccination card for $ 150 and said they would accept Bitcoin
"The Known Limitation of HIPAA"
What about the Health Insurance Portability and Accountability Act (HIPAA), the federal law protecting privacy in healthcare? Nicolas Terry, the executive director of the Hall Center for Law and Health at Indiana University, told MarketWatch that "there isn't a major legal aspect" regarding people posting their own vaccination cards online.
HIPAA protects proprietary health information, including vaccine records, from disclosure by a covered facility such as a doctor or hospital, Terry said. In this case, however, the disclosure is made by the patient and not by the covered facility. "What it illustrates is the well-known limitation of HIPAA as it doesn't apply to health information that is shared on social media, for example," he said.
Nonetheless, Terry advised against publishing vaccination cards because of the "surprising amount of information" that could help in an identity theft attempt, not to mention the "lack of sensitivity to those who have not yet been vaccinated". While eligibility increases across the country, supply remains limited.
"People don't stop thinking about what to do," said Kerskie. "" Oh, I just want to share this with my friends. "It's not you – you share it with the whole world."
Do not miss: Don't laminate your COVID vaccination card until you've done these 5 things
Also read: Am I an idiot if I get a COVID-19 vaccine when I feel healthy and work from home?