Getting a little Orwellian: California's COVID vaccine record system

Whether you knew it or not, if you got your COVID vaccine in California, your medical record of it went to the state of California, which keeps a database on it.

According to KCRA News:

California officials on Friday announced a way for residents to access their COVID-19 vaccine records digitally. The records, which can be used to gain access to businesses or events that require proof of full vaccination, can be found by going to "The tool is a convenient option for Californians who received a COVID-19 vaccination to access their record from the state's immunization registry systems," the California Department of Public Health said in a news release. The state health department recommends that Californians still hold onto their paper cards from the Centers for Disease Control and Prevention.

How many people knew that when they got their COVID vaccine that their medical records of it would be accessible like that. According to the California State Department of Health:

The State of California's Digital COVID-19 Vaccine Record (DCVR) Portal allows Californians to download their COVID-19 vaccination record. In order for you to obtain your record:

  • COVID-19 vaccination information must have been submitted to the California Immunization Registry (CAIR2, SDIR, and RIDE) by your vaccination provider
  • All the information you enter into the DCVR Portal must match your record in the registry

Do they have vaccine records for other stuff? Worth looking at, as well as other kinds of medical records, but that's for later. The news report video, here:

...goes all in for doing the state's public relations bid for this registry, selling as a good thing, with a pillow-faced, blonde lady named Genevieve Stevens of East Sacramento, who was interviewed while pumping gas (Who was she? A random member of the public? A state bureaucrat? An authority of some kind?) explaining that there was nothing to worry about. Addressing online privacy concerns, she told the reporter:

I think it's ridiculous because it's an easy way for us to know if someone's safe, ummmm, sort of like having a driver's license, you have to show it sometimes to prove that you're allowed to drive. Umm. You're not sharing secret information, you're just showing that you were vaccinated.

Or, you can just stick to the old crumpled-up paper, the reporter added.

Actually, it shows a lot more than just whether you were vaccinated. It contains your name, telephone number, email, date of birth, all collected information that is highly attractive to hackers. 

Here's a recent instance of "nothing to see here, move along" data breach from the vaccine records of CVS, a vaccine distributor, last month, definitely done for California's database, and reported as far as I can see, only by HealthcareIT News, a trade publication:

Security researchers earlier this spring discovered a database containing more than a billion records, including emails that could be targeted in a phishing attack for social engineering.
The database, which was not password-protected, was flagged by the WebsitePlanet research team in cooperation with Jeremiah Fowler.
Public access to the data was restricted the same day that CVS Health was notified.  
"In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata," said CVS Health in a statement sent to Healthcare IT News.   
"We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personally identifiable information of our customers, members or patients," according to the statement.
"We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter."  

It may have been metadata, but it contained a lot of emails at the very least. Since I got my vaccine at CVS, it could also have my medical insurance information, since CVS collected it, even though the vaccine was supposed to be "free." Well, that's gone, the phishers have at least the emails, maybe more. Nothing to see here, move along.

Who else gets to see this database besides the hackers? According to the California State Department of Health's website:

Will my information remain private?

Yes. Filling out the form on the portal does not provide instant access to your vaccine record. The link to the vaccine record requires a PIN that you create and is sent only to the mobile phone or email that is associated with your immunization record. Only you can decide how and if you want to share your record with others.

Well, no. The federal government gets its cut. So do various California state offices - auditors, etc., according to the receipt of vaccine records page after you make the request.

Please note that any and all information collected in the DVR may be disclosed to the California State Auditor, the California Office of Health Information Integrity, the California Office of Information Security, or other state and federal agencies as required by law.

So those guys get access to it, too.

Sounds harmless, until you remember the state of California's voter registry records. And yes, having tried the vaccine registry and having seen them unable to find my own vaccine record after giving me that notice of who else gets the record after the request, the record system itself seems chaotic, too.

Over and over again, the state insists it's just for record-keeping and public health statistics and will never be abused or passed around.

But actually, it already has been used for political purposes beyond its static-record database claims:

The State of California held a lottery for vaccine recipients, with $50,000 prizes, claiming it had added the names of the potential recipients from the vaccine database whether the recipients asked for it or not.

Are you already vaccinated or about to be? Great! You’ll have a chance at winning a dream vacation. We’ve already given away cash prizes of $50,000 and $1.5 million!

Not yet vaccinated against COVID-19? Get vaccinated as soon as possible to be eligible. You’ll also get a $50 incentive card!

Everyone who’s vaccinated could get a free taco at Taco Bell, Chipotle queso blanco, tickets to Six Flags, and special deals on merchandise from the LA Clippers, Golden State Warriors, Sacramento Kings, San Francisco 49ers, and the Team LA Store at STAPLES Center.

And for those who wanted to be entered, if they didn't have your records right, too bad about that, guess you didn't get entered in the lottery for the big payouts. It's like motor-voter registration, which has its own record of bad stewardship. Or the fraud-filled California unemployment claims payouts. What's more, they never published the names of the winners of the prizes, so there's no telling if all the big ones came from the same ballot-harvesting illegal migrant household.

So let's just say there are lots of ways the information can and will be used, not just as passive proofs of vaccine, contrary to the state's claims. You can bet they won't let this database just sit there to be used as a "voluntary" vaccine passport system -- they will think of more ways to use it well beyond its stated purpose.

The state and its boosters go to great ends to say that accessing those vaccine records is "all voluntary," and everyone is free to take a pass on it. But that is to beg the question. The vaccine records exist whether one likes it or not, whether one accesses them or not. And already, there are emerging some pretty far-flung ways it's being passed around.  They didn't exactly tell us this back when they told us all about those "free" vaccines. Now that they've got it, they'd like us to trust them.

Image: Pixabay / Pixabay License

To comment, you can find the MeWe post for this article here.

If you experience technical problems, please write to