The U.S. government has not yet made its official recommendations for who should be able to get COVID booster shots this fall, but FDA officials published a policy position in the New England Journal of Medicine announcing that it intends to make some drastic policy changes. The changes could result in healthy people under age 65 losing access to COVID vaccines, according to vaccine experts who have spoken about the policies. Here’s what we know so far, and why the announced policy could be a problem. 

How COVID vaccines are currently approved

Scientists have changed the formulation of COVID vaccines a few times over the years, because the COVID virus itself tends to mutate. Vaccines are updated to better match the strains that are circulating, and this has happened roughly once a year—similar to how flu shots are updated each year. 

Instead of designing new vaccine trials from scratch for each small change in the COVID vaccine, manufacturers conduct studies to show that the immunity people get from the new vaccine is equivalent to what people got from the old vaccine. 

After approval from the FDA, the CDC then issues a recommendation for who should get the vaccine. Currently, everyone aged 6 months and up is recommended to get a COVID vaccine. 

What might be changing

The new policy, according to the NEJM article, would be to accept those immunobridging studies only to approve vaccines for people aged 65 and up, and people above the age of 6 months who have one of the high-risk conditions on a list maintained by the CDC. 

For healthy people under 65, the FDA’s policy wouldn’t approve new COVID vaccines unless they were tested against a placebo. (The type of placebo is phrased vaguely: “The control group could receive a saline placebo,” the authors write.) 

The FDA doesn’t have the authority to change the recommendations on who should get vaccines that are already approved (that’s the CDC’s purview), but it is in charge of approving vaccines and can approve them only for specific populations. 

Why placebo-controlled trials are an absolutely wild idea for COVID vaccines

Public health experts are, to put it mildly, not happy with this plan. That’s because we already have COVID vaccines that work. Doing a placebo-controlled trial would require withholding COVID vaccines from people in the control group; they would get saline instead of a functional vaccine. 

The normal way to do this type of trial (if you do one at all, rather than relying on immunobridging) is to compare the new vaccine or medication against one that is already considered effective. To use an extreme analogy, you wouldn’t test a new design of seatbelt by randomizing people to ride around without using any seatbelts at all. 

Vaccine scientist Peter Hotez told CNN that the FDA’s announced approach “essentially denies access to vaccines,” since such trials are not practical for companies to do. In a post on Bluesky, toxicologist Ryan Marino said that it amounts to “scientific misconduct.” Vaccine expert Paul Offit told NPR “I don’t think it’s ethical, given that we have a vaccine that works, given that we know that SARS-CoV2 [the COVID virus] continues to circulate and cause hospitalizations and death, and there’s no group that has no risk.”

More vaccine chaos may be coming

The new policy isn’t official yet, but it’s hard to imagine the FDA and CDC being allowed to approve and recommend vaccines the way it always has in the current political climate. Biologics director Vinay Prasad and FDA Commissioner Marty Makary, whose names appear on the FDA’s policy statement, have a history of arguing against COVID vaccine access for children. 

And both agencies are under the umbrella of HHS, the department of Health and Human Services, which is headed by Robert F. Kennedy, Jr—the same person whose anti-vaccine organization financed the movie Plandemic. If you don’t recall the details of that movie circulating in the early pandemic days, it implied both that COVID wasn’t real and that it was a bioweapon created by the government; the logic didn’t hold together but ultimately the point was that we should be suspicious of vaccines. (I have more on Plandemic here.) 

RFK, Jr has said a lot of bananas stuff about vaccines. He has compared childhood vaccines to the holocaust, claimed that Bill Gates put microchips in vaccines, and loudly questioned whether vaccines cause autism. How this man got put in charge of a health agency, I will never understand. 

Recent and future vaccine approvals may be at risk in this environment. Moderna had planned to submit a combined flu/COVID vaccine for approval; it has since withdrawn its application. (It’s not clear whether recent FDA policy announcements are directly related.) Novavax’s recent vaccine was approved recently, but only after a delay and only for older adults and for people with high-risk health conditions. Kennedy released a report today that questions the childhood vaccine schedule and implies that vaccines are part of the “stark reality of American children’s declining health.” 

If you use the internet, you’ve probably had at least some personal information go missing. It’s just the nature of the web. But this latest discovery, as reported by Wired, is something different.

Security researcher Jeremiah Fowler found a public online database housing over 180 million records (184,162,718 to be exact) which amounted to more than 47GB of data. There were no indications about who owned the data or who placed it there, which Fowler says is atypical for these types of online databases. Fowler saw emails, usernames, passwords, and URLs linking to the sites where those credentials belonged. These accounts included major platforms like Microsoft, Facebook, Instagram, Snapchat, Roblox, Apple, Discord, Nintendo, Spotify, Twitter, WordPress, Yahoo, and Amazon, as well as bank and financial accounts, health companies, and government accounts from at least 29 countries. That includes the U.S., Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the UK.

Fowler sent a responsible disclosure notice to the hosting provider of the database, World Host Group. Fowler was able to detect signs that the credentials here were stolen with infostealer malware, which bad actors use to harvest sensitive information from a variety of platforms—think web browsers, email services, and chat apps.

Following Fowler’s notice, World Host Group restricted the database from public access. The provider told Wired that the database was operated by a customer, a “fraudulent user” who uploaded illegal information to the server.

In order to ensure these credentials were real, and not just a bunch of bogus data, Fowler actually contacted some of the email addresses he found in the database. He got some bites, and those users were able to confirm the records that he found associated with their emails. That’s no guarantee that all 184,162,718 records are accurate, but it’s a good sign that most are. As such, it’s entirely possible you and I both had credentials exposed in this database. What’s worse, Fowler says there’s no telling how long the database was open to the public before his notice shut it down.

There’s a lot bad actors and hackers can do with this type of information. If they know the username and password combo to one of your accounts, they’ll not only see if they can use it to break into that account, but they’ll use it on other accounts of yours as well. If you reuse passwords, as many do, you could be facing a mass breach. It’s bad enough when that concerns Facebook and Roblox accounts, but seeing as there were financial, health, and even government accounts here, the implications are huge.

How to protect yourself

If you don’t have access to the database, you can’t say for sure whether your credentials are listed there, or which credentials they have.

Still, if you haven’t changed the passwords for your accounts in some time, now might be a good time to do so. You don’t need to change your passwords as frequently as traditional security advice has taught us, but it certainly wouldn’t hurt to give your accounts a quick security audit.

Make sure you’re using a strong and unique password for each and every one of your accounts. If you repeat passwords, you run the risk of credential stuffing (hackers trying the same stolen password on multiple accounts). In order to keep tabs on those passwords, use a secure password manager.

Make sure you’re using two-factor authentication (2FA) on all of the accounts that allow it. That way, even if a password is exposed, hackers won’t be able to break into your account without the device containing the 2FA code. To boost your security, avoid SMS-based 2FA when possible, and opt for more secure 2FA options, like an authenticator app or physical security key. If your account offers it, try a passkey to combine the convenience of a password with the security of 2FA.