NHS COVID pass scheme could be open to exploitation thumbnail

NHS COVID pass scheme could be open to exploitation

As businesses in England open their doors on ‘freedom day’ yesterday (20 July), concerns have been raised that people can falsely obtain an NHS COVID pass due to a glitch in the system.

The NHS COVID pass is meant to indicate whether someone has either had two vaccinations or received a negative coronavirus test.

When someone submits a negative lateral flow test result via the Government website, a QR code pass is generated on the NHS app, which is valid for 48 hours. 

However, an investigation by the i newspaper, found that a negative test result could be falsely reported by entering a fabricated test code onto the website, meaning the system can easily be exploited.


From 19 July in England, most lockdown restrictions have been lifted and many businesses have reopened.

Although it is not mandatory, the Government has recommended businesses such as theatres, nightclubs, sporting venues use the NHS app to prove customers’ COVID status.

Venues can ask customers to show a QR code generated by the app, which can be scanned by staff.

The NHSX website says: “We encourage the use of the NHS COVID pass in facilities or events where people are likely to be in close proximity to a large number of people from other households for a sustained period of time.”


The UK government has now said there are no plans to change the sensitivity of the NHS COVID app’s contact tracing function after transport secretary, Grant Shapps previously suggested the app may be adjusted, after a significant rise in alerts.

From 16 August in England adults who have had two vaccinations will no longer have to self-isolate after coming into contact with someone with the virus.

Meanwhile in Italy, police say they have discovered several fake EU digital COVID certificate (EUDCC) schemes online. The EUDCC officially launched on 1 July and aims to facilitate safe and free movement in Europe during the pandemic, by exempting holders from travel restrictions.


Dr Saif F Abed, founding partner & director of Cybersecurity Advisory Services, said: “There will always be flaws in the development of software, and while COVID-19 related vulnerabilities are easily politicised, the main take-away from this report is the need to revisit the testing and auditing processes of this platform from both technical and, critically, user experience perspectives. Doing so will enhance public confidence, engagement and safety.

“Interestingly, the NHS can be in a relatively strong position on this as we have mandatory clinical risk management standards (DCB0129/0160) that can be used as a framework to ensure that newly deployed solutions are safe and effective on an ongoing basis.”

NHS Digital told Healthcare IT News that the Department of Health and Social Care (DHSC) is responsible for the NHS COVID pass scheme. DHSC declined a request for comment.

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *