Beaumont Health’s Information Technology team detected and shut down unusual activity Saturday related to online COVID-19 vaccination scheduling on Beaumont’s Epic electronic medical record system. The Beaumont team determined a user took advantage of an Epic scheduling tool vulnerability and shared an unauthorized scheduling pathway publicly. This allowed 2,700 people to “cut in line” and register for an unauthorized vaccine appointment. Beaumont is cancelling all the appointments that used the unauthorized pathway.
Beaumont also immediately notified the national Epic corporate office so it could communicate with other health systems to prevent this from occurring elsewhere. Epic issued a statement Sunday evening.
Individuals who scheduled an appointment using the unauthorized “backdoor” pathway will be notified that their appointment has been cancelled via the email they provided during the unauthorized scheduling process.
“These appointments violate the ethical distribution framework Beaumont created based upon the State of Michigan’s mandatory vaccine guidelines. We regret 2,700 people in our community became victims of this unfortunate incident. We remain committed to vaccinating as many people as possible who meet the State’s guidelines,” Beaumont Health Senior Vice President & Chief Information Officer Hans Keil said. “We are also notifying the Michigan Hospital Association and other Michigan health systems about the issue.”
This incident did not compromise anyone’s personal medical record, nor did it allow outsiders access to any hospital records. The pathway simply allowed users to schedule an unauthorized appointment that circumvented the current Michigan mandates.
Note: Beaumont will continue sending email invitations to people who meet the state’s criteria to schedule their COVID-19 vaccine. This incident will not interrupt ongoing vaccination operations. Anyone who has scheduled his or her vaccine appointment through Beaumont’s standard process is unaffected by this issue.