Social Security numbers on Medicare cards: A well-worn welcome mat for fraud
Imagine this scenario: What if the key to your house was mounted to your front steps? What if there was a glowing neon sign next to those keys that read "This is the key to my house. Come on in"? What if anyone walking by your house could grab that key, unlock your front door and rummage through your personal belongings?
Sounds like an insane proposition, right? And yet, that's exactly what is happening, on an even larger scale, with Medicare beneficiary cards that still prominently display Social Security numbers, contributing to pervasive identity theft and fraud. Even worse, it's happening despite calls for the removal of Social Security numbers that date as far back as 1973.
In a hearing last week by the Senate Committee on Aging, Gary Cantrell, deputy inspector general for investigations at the Office of Inspector General, told committee members that patient and provider identifiers "represent the keys to Medicare reimbursement." Professional identity thieves seek out these identifiers, which serve as a crucial element in a variety of fraud schemes.
They don't have to look very hard. Until just recently, the Centers for Medicare & Medicaid Services (CMS) has made no attempt to deter the simplest and oldest form of identity theft. Instead, Social Security numbers are displayed right there on the front of the card, a welcome mat for identity thieves.
You could chalk this one up to good old-fashioned ignorance if it wasn't for the fact that multiple organizations, including the Government Accountability Office (GAO) have been calling for the removal of Social Security numbers since 2004. The GAO followed up with additional warnings in 2012, 2013 and 2015. Earlier this month, the GAO once again testified before a Senate hearing committee that a large portion of the $77.4 billion in Medicare and Medicaid overpayments could be reduced by removing Social Security cards from beneficiary cards.
But calls to remove Social Security numbers from all identification cards, including driver's licenses, can be traced back even further. In his testimony to the Senate Committee on Aging, Marc Rotenberg, executive director of the Electronic Privacy Information Center pointed to a 1973 report entitled "Records, Reports, and the Rights of Citizens" that recommended the use of Social Security numbers should be "limited to those necessary for carrying out requirements imposed by the federal government," and that "federal agencies and departments should not require or promote the use of the SSN." The following year, the Privacy Act of 1974 included provisions that attempted to limit the use of the Social Security number as a unique identifier.
In 1991, Rotenburg testified in a joint hearing between the House Subcommittee on Oversight and Investigations and the Subcommittee on Social Security, predicting that Social Security numbers would contribute to identity theft if they continued to be used as universal identifiers, which was common practice at the time.
"It is important to emphasize the unique status of the SSN in the world of privacy," he said at a time when identity theft was just barely emerging as a recognized threat. "There is no other form of individual identification that plays a more significant role in record-linkage and no other form of personal identification that poses a greater risk to personal privacy."
Nearly 25 years later, Rotenburg's comments to the Senate Committee on Aging hardly changed at all:
"What we have now seen is that in no sector is the problem of identity theft more severe than it is in the medical records sector."
Given the long history of warnings regarding the pervasive use of Social Security numbers as identifiers, it's inexcusable that CMS has not done more to remove them from Medicare and Medicaid cards, which serve as an open invitation to identity thieves.
CMS' go-to excuse has been that its systems are so complex that simply changing the numbers on Medicare cards is a nearly insurmountable task, conveniently ignoring the fact that private insurers, and government organizations such as the Department of Defense and the Department of Veterans Affairs, have successfully removed Social Security numbers from identifying documents.
Even if you're willing to go along with that story, CMS has done virtually nothing to make even incremental progress toward removing Social Security numbers. Funding, as always, has been an issue, but it wasn't until this year that CMS even began making its first moves to resolve this problem. Now, a new law signed in April requires CMS to remove Social Security numbers by 2019, while also providing $320 million to get the job done.
Better late than never, I suppose. Until then, that neon sign will keep glowing, beckoning identity thieves for four more years, and serving as a harsh reminder of the four decades worth of pleading warnings. - Evan (@HealthPayer)