ALBANY — The state inspector general’s investigation of an incident in which more than 28,000 New Yorkers were able to gain premature appointments to COVID-19 vaccines before the general public found several technical flaws, but found no cybercriminals hacked the system.
"The inspector general found no evidence that systems had been compromised by cybercriminals or that state employees or contractors who possessed advanced access to scheduling links leaked them to the public," the report stated.
The investigation by acting Inspector General Robyn Adair began in January after the state’s COVID-19 vaccine scheduling website had been accessed more than 24 hours before the website was to go online for the public. The report found a "misunderstanding" among the system’s programmers and other workers that allowed public access to vaccine sites when New Yorkers tried to schedule a vaccine.
"By altering the scheduling identification numbers in a known website address, an individual could discover a different vaccination scheduling website that had not yet been published," the report stated. The process allowed the bypassing of a screening tool and allowed New Yorkers access to websites that were supposed to only be used for staff training."
Many of the links to scheduling websites were quickly disseminated on social media and passed along by counties, schools, union leaders and religious leaders, causing an outrage at the time.
Nearly 20,000 of the appointments that were scheduled through the technical problem were at Stony Brook University. Others were at state-operated sites in Binghamton, Buffalo, Plattsburgh, Potsdam and Utica. The more than 28,000 appointments made through the premature access were canceled by the state.
The scheduling problem came at a critical and frustrating time in distributing what was then a limited supply of 250,000 shots for 7 million eligible New Yorkers. At the time, many residents were scrambling for appointments during a troubled rollout of the state website that required many people to have to constantly refresh their attempt to get appointment over hours.
But on Jan. 13 and 14, some New Yorkers felt like they had gotten lucky when the signed up and were offered appointments days away. The state, however, emailed them on Jan. 14 that their appointments for vaccines were made in error, and the appointments were canceled. They were then forced to restart the process of trying to get an online appointment.
"Several factors left open the possibility for members of the public to prematurely and unknowingly ‘jump the line,’" Adair said. She credited state workers for acting quickly to fix the problem.
"Our investigation identified ways to ensure that the state’s vaccination registration system is able to withstand ongoing efforts to fairly and efficiently get shots in the arms of all New Yorkers," Adair said.
One of the methods that was used to jump the line is called URL rewriting. Some New Yorkers took advantage of the sequential numbering of links to vaccination scheduling sites. By altering the last numbers, they could access a scheduling site that wasn’t yet available to the public. For one site alone in Albany, URL rewriting provided appointments to more than 700 people in 20 minutes, the report stated.
Another problem was the screening tool, which asked applicants questions to make sure they were qualified for vaccinations. But an applicant could bypass this safeguard by pasting the link into a browser, rather than clicking on the link.
Since then, more than 100 improvements, including installing firewalls, have been made that could pay off as counties and the state plan booster shots and vaccines for children 5 to 11 years old.