The Canterbury District Health Board is apologising to 716 people for the error in the software used in a medical appointment system.
The problem potentially allowed people to see the details of other individuals also making appointments, but no private health information was exposed.
The National Party's COVID-19 Response spokesperson Chris Bishop said it was troubling the IT system does not appear to have been tested thoroughly.
"Why was this system running and being used with clearly no testing and insecure source-code material out there for the world to uncover?"
Bishop said two people who flagged the problem with the Ministry of Health had provided him with further details.
He said it was his understanding that people were able to "log in, pretend to be a vaccinator, alter patient records and change appointment times".
This would have only been accessible to people with IT skills, he confirmed.
"This is potentially a novopay-style scandal and an issue the Government is going to have to deal with.
"I think there are really serious questions to be asked around the roll-out and the efficacy of the national vaccine IT system," he said.