Identity 04-19-2021

Why You Shouldn’t Post Your Vaccine Card to Social Media

Dean Coclin

While you may be elated that society is edging towards pre-pandemic times as vaccines have become widely available in most countries, you shouldn’t post your vaccine card online. Posting a picture of your COVID vaccine card on social media could lure attackers and phishers.

Vaccine cards contain personal information that could lead to identity theft or phishing if public

Vaccine cards make a great target for attackers because the white vaccination cards issued in the U.S. are too easy to fake and contain identifying information that an attacker could use to steal your identity. For instance, the card may include:

  • Your full name
  • Your date of birth
  • Where you got vaccinated (which may indicate where you live)
  • Dates you got vaccinated
  • What vaccine you received
  • Possibly even more info

The FTC issued a statement warning people not to post their vaccine cards online, saying, “Some of you are celebrating your second COVID-19 vaccination with the giddy enthusiasm that’s usually reserved for weddings, new babies, and other life events. You’re posting a photo of your vaccination card on social media. Please — don’t do that! You could be inviting identity theft.”

While it is true that there is plenty of info available about you online already, posting your vaccine card puts it all in one place, making you easy prey for identity theft.

“For example, just by knowing your date and place of birth, scammers sometimes can guess most of the digits of your Social Security number. Once identity thieves have the pieces they need, they can use the information to open new accounts in your name, claim your tax refund for themselves, and engage in other identity theft,” the FTC explains.

You shouldn’t even post your card privately on social media, because once it’s out there you have less control. Plus, it could open the door for an attacker to phish more information from you by sending you an email, seemingly from your vaccination clinic. After all, they have your vaccine number, location, date and more just from the card.

Additionally, health records will likely become a growing target for hackers, as the value of a single health record could be worth thousands of dollars. Information on your vaccine card is protected under HIPPA, but by posting your vaccine card online you may void HIPPA protection.

What if you already posted it?

If you’ve already posted it, you can still take it down, along with any other personal information you might have posted online. It might be a good idea to do a social media audit of your posts and privacy settings and your followers to make sure you know who is following you.

Be alert to any Covid-19 communications online

Scams surrounding COVID-19 have been on the rise for a while now, and we’ve noticed an increase in phishing attacks and domains attempting to spoof the CDC or other sites claiming to contain COVID-19 information. This is just the latest online threat for identity left. But in general, internet users need to understand the risks and know how to safely navigate the web.

Protect your identity — safely navigate the web

In general, do not share personal details on social media. When it comes to websites, know how to safely navigate the web. Check sites for TLS/SSL certificates to ensure that your data is encrypted. View our blog on how to identify authorized sites to know how to distinguish authorized from unsecured sites. Finally, do not use personal information that you might share online, or is easy to guess, in your passwords.

It’s okay to celebrate your vaccine, but be cautious online

It's definitely worth celebrating that things are reopening, but don’t put your identity at risk. Find other ways to celebrate. Instead, the FTC recommends taking a vaccine selfie with your band aid or vaccination sticker.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS