What to do with your vaccination card—and what to avoid.
Though Covid-19 vaccination rates vary by state, community, and country, each administered dose of the vaccine is a sign of hope that we’re one step closer to the end of the pandemic.
Receiving the vaccine is a major life event, and many of us want to share that we’ve been vaccinated to encourage others to do the same. This has led to a trend of posting Covid-19 vaccine cards online; over the past few weeks our Instagram feeds have been flooded with images of white cards. Almost as swiftly as the trend caught on, though, it has been cautioned against from a security standpoint.
Here are three reasons why you might want to think twice before posting a picture of your vaccination card online:
1. You could be opening yourself up to identify theft
While your vaccination card seems harmless as far as social media posts go, it actually contains a lot of information that can be useful to hackers:
- It has your birth date, including the year. Your friends on Instagram might know your birthday, but that doesn’t make it public knowledge that you shouldn’t work to protect. Hackers can actually use your date and location of your birth to figure out your social security number, potentially opening you up to identity theft.
- It says where and when you got vaccinated. With this knowledge, a hacker may be better equipped to target you with a social engineering or phishing scheme. For example, they could pose as the vaccine distribution site that you went to, and ask you to provide personal data in order to hack the credentials to your bank account or steal your identity.
- It has your full name. You might be thinking your full name is easy enough to find that there’s no use in trying to hide or protect it, but when you combine this with the rest of the information on the card, you’re essentially handing your data to a hacker on a silver platter, or whatever hackers like to eat off of. As the FTC puts it in their post warning about the dangers of posting your card online, “Identity theft works like a puzzle, made up of pieces of personal information. You don’t want to give identity thieves the pieces they need to finish the picture.”
Want to learn more about phishing and social engineering? Watch a recording of our Happy Hour with a Hacker event where white hat hacker Rachel Tobac talks about her career as a “helpful” hacker.
2. Posting your card could void your HIPAA protection
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law in the United States requiring that a patient must consent to the sharing of their health information. According to Healthline, information on your Covid-vaccine card falls under HIPAA protection, but once you share that information on social media, it’s no longer protected by law. Exposing information linked to your medical records could make it easier for hackers to access online patient portals and could result in medical identity theft.
3. Someone could replicate your card to get the second dose
A photo of your card after your first shot could be all someone needs to make a fake card and nab your place in line for the second dose—something you might not be aware of until you get the vaccination site. As Attorney D. Wade Emmert told Healthline, even if the photo doesn’t reveal the location where you received the vaccine, the image might have geotagging information embedded, which a savvy cybercriminal can procure to zero in on the site you used. In the UK, scammers have already been creating fake vaccination certificates.
Instead of posting your card online, here’s what you should do once you get vaccinated:
Take a photo of your card on your phone
But don’t post it! Save it for your records.
Enroll in VaxText and v-safe
VaxText, created by the CDC, sends a text reminding you to get your second dose, and v-safe is a similar messaging service that allows you to communicate with the CDC after you receive the vaccine. Through surveys and health check-ins, you can relay any side effects or symptoms, prompting the CDC to call you with follow-up questions if necessary. By enrolling in these services there is a record of your receiving the vaccine even if you lose your paper vaccination card.
Post a selfie with your sticker
And if you really want to post your card, do it from far away enough that no one can actually read any of the personal info on there, like this gymnast from the University of Illinois.
How to make your social media more hacker-proof
The vaccination card trend is giving us a reason to go back and reflect on the information we might have already have out there on social media. It’s time to take a look at your existing posts and get rid of anything that might have sensitive data.
And, while you’re at it, it’s a good idea to change your passwords and security questions, especially if they are made up of personal facts that one might deduce from your social media posts, like kids’ birthdays or pets’ names.
We recommend keeping certain platforms completely private, like your Venmo, which offers a lot of valuable data to hackers, especially when it comes to social engineering schemes.
Don’t just take our word for it, either—see what these infosec pros recently told us about protecting your data.