TL;DR: I wouldn’t. There’s more than one way this might have happened. Well, or not happened.
That word ‘would’ invites to some … fantasising. — So, had I been on the team right from the beginning, I may have accepted exploring the problem space with Excel (or any other spreadsheet).
Taking risk into account (in COVID-19 cases, that would be the death of patients that may have been prevented), we’d have gotten into answering one question: Can the solution deal with the worst case? - Let’s assume the worst case is that every person in the country gets infected (Yes, unlikely. Yes, in that case we wouldn’t need that data collection anymore…), the system would need do deal with ≈70.000.000 cases (according to wikipedia).
At that point, I would have strongly recommended against using any spreadsheet, and turning to a data base instead.
At that point I imagine 3 possible paths:
- Everything’s cool: The project decides to use a DB system (PostgreSQL, MySQL, maybe even SQLite is good enough (not sure about the amount of data and/or performance). Everything goes smoothly, we progress using DBB, add load and performance testing and let a security expert have a look at things.
- The messenger gets shot: The project fires me, and heads into trouble without me. I will later probably be blamed anyway.
- We’ve always done it this way: The project decides to continue using a spreadsheet. I reraise my concerns, am ignored and decide to leave (not without a written memo that explains my concerns).
I’d really like to see more details about this. That said: Given the information I have and the importance of a working solution, I can imagine that this is considered malpractice.