Philly DA Investigating Possible COVID-19 Vaccine Privacy Violation

January 27, 2021 - The Philadelphia Department of Public Health abruptly ended its contract with Philly Fighting COVID, tasked with the city’s COVID-19 vaccine distribution, over allegations that the startup company’s privacy policies may have enabled the sale of individuals’ private data, according to multiple reports, including local news outlet WHYY.

Announced on January 25, the city’s public health department cut ties with Philly Fighting COVID after a number of disturbing allegations, including updating privacy policies due to a change in its corporate status from a nonprofit entity.

Updates to the privacy policy would allow for the sale of individuals’ data through its pre-registration site. Those updates were not provided to Philadelphia officials beforehand, nor did the group report whether any of the collected data was indeed sold to outside parties.

“For PFC to have made these changes without discussion with the City is extremely troubling,” according to a spokesperson. “As a result of these concerns, along with PFC’s unexpected stoppage of testing operations, the Health Department has decided to stop providing vaccines to PFC.”

In response, the Philadelphia District Attorney Larry Krasner has launched an investigation into Philly Fighting COVID, which has also been accused of failing to disclose its for-profit status and mishandling COVID-19 vaccinations.

READ MORE: Report: COVID-19 Telehealth Risks and Best Practice Privacy, Security

The Philadelphia Department of Public Health first announced the launch of the city’s first mass community vaccine clinic to be led by Philly Fighting COVID on January 8. Philadelphians were urged to begin the registration process on the group’s COVID-19 website.

The organization is self-described as being a “group of college kids.”

Local reports estimated that 6,800 people had received vaccinations at the site, including 2,500 healthcare workers. Soon after, the swath of concerning allegations came to light. 

One registered nurse who volunteered to administer the vaccine at Philly Fighting COVID site took to Twitter to spotlight her concerns, which included the group failing to ask for the nurse’s medical credentials at the time of her application.

The volunteer also claimed that the CEO of the company took home a number of vaccines intended for the community. 

READ MORE: COVID-19 Sites Plagued with Third-Party Tracking, Posing Privacy Risk

The group was already under fire after claims the group abruptly ceased hosting COVID-19 testing clinics without informing community leaders.

Other allegations included turning away seniors who had scheduled appointments, after they waited in line for hours before being turned away. The group attributed the issue to a site error that allowed too many people to sign up for appointments.

“It is concerning that reportedly Philly Fighting COVID appears to have misrepresented its role in vaccine distribution and is reported to have failed to disclose information about a for-profit operation,” Krasner said in a statement. 

“Like many members of the public, I have questions about the methods used by Philly Fighting COVID in collecting personal data from people signing up for vaccine information, and what this company plans to do or might have already done with that personal data, as well as WHYY’s reporting today that suggests the company’s founder might have taken vaccines meant for public distribution into his personal possession,” he added.

Philly Fighting COVID has denied all allegations and has since updated its privacy policies, stressing that they “never have and never would sell, share, or disseminate any data we collected as it would be in violation of HIPAA rules.” The group also apologized for the “mistake.”

READ MORE: Patient Data Privacy Lawsuit Against Google, UChicago Dismissed

However, the privacy allegations highlight concerns security leaders have shared amid the expansion of community care sites and increased data sharing to support the COVID-19 response. 

Saif Abed,founding partner and director of cybersecurity advisory services of the AbedGraham Group, previously warned of the exact privacy issues brought to light by the Philly Fighting COVID incident:

“Without transparency then suddenly personal demographic data, let alone medical data, could be funneled to third parties, without explicit consumer permission, and used to make decisions that compromise individual freedoms and options in the future post-pandemic,” Abed explained.

Transparency is crucial in times of health emergencies, as patients should understand the protections used to secure their data and ensure their privacy. Perhaps, officials should have given individuals better information on how their data was being gathered, analyzed, interpreted, or analyzed, regardless of whether the public health department controlled the data, or not.

Krasner is encouraging all Philadephians, including city employees, to contact his office with any information on potential crimes regarding the Philly Fighting COVID allegations or other pandemic relief efforts.

For now, the Public Health Department is working on shifting its future allocations of the vaccine to other response teams and scheduling new clinics to ensure those who need it receive their second dose of the vaccine.