Death by a Thousand Hacks

Opinion

By Amy Kerr Hardin | Sept. 16, 2017

It’s just not that unusual anymore. My credit card was hacked twice in the past three years. And last year, my 24-year-old daughter had her identity stolen. Her resulting credit report was 54 pages long. A few years ago, in a nightmarish scenario, my best friend had her IRS identity hijacked. It’s becoming an everyday thing for too many of us.

Believe it or not, Michigan is ahead of the curve in the battle against hackers. In a moment of legislative sanity in 2015, the Michigan House managed to spitball together a resolution demanding the U.S. Congress enact a law to prevent federal agencies from printing complete social security numbers on correspondence. Seemed simple enough. Michigan had already passed such a law back in 2004 prohibiting the use of any more than four consecutive digits of a social security number.

A 2010 federal mandate already forbids federal, state, and local governments from printing social security numbers, or portions thereof, but only on checks — a previously common practice designed to ensure that the person cashing the check was the intended recipient. The following year, another bill was floated to remove social security numbers from Medicare cards. At first the effort stalled, but the initiative recently became law. In 2018, 57 million Medicare recipients can expect to see revised cards.

Still, this willy-nilly patchwork of edicts leaves many citizens vulnerable to hackers. If you’re a student, a patient, or have health insurance, you remain at risk. 

Know your rights.

So, who can legally ask for a social security number? The list is short: employers, insurance companies, lenders, colleges, credit reporting agencies, and businesses that provide products or services that must be reported to the IRS, such as real estate agents and auto dealers. Additionally, certain financial transactions require reporting to guard against money laundering. Yet, all of these entities are vulnerable. A recent cyberattack on the credit reporting agency Equifax exposed sensitive information on 143 million Americans — that’s more than half the working-age population.

Who can we safely say “no” to then? For starters: doctors and lower education authorities.

Say No to the Doctor.
With the exception of Medicare and insurance companies, health care professionals and hospitals are not entitled to social security numbers, although they all too often ask for them, claiming the need to identify a patient’s health insurance plan. This just isn’t necessary.

Medical records are a prime target for bad guys. They provide a treasure trove of personal information not available elsewhere. Stolen medical data is a hot commodity, yet few consumers are aware of how sensitive this information truly can be. A 2015 survey of 1,000 American adults found that only 11 percent cited medical records among their top security concerns.

If a health care provider requests your social security number, Consumer Reports advises to simply leave that area of the form blank. Often the provider won’t even question or notice. If they do, explain that you’re concerned about identity theft. If you feel pressured, consider choosing another facility or doctor.

For those covered under either the Affordable Care Act or enrolled in an employer group plan, the feds insist your social security number be attached to your insurance records under the Mandatory Insurer Reporting law. So, if you’re lucky enough to be covered, you’re at risk for identity theft. This is no hypothetical problem. A couple years ago, Michigan’s Blue Cross Blue Shield customers were exposed in a large-scale hack via their affiliate, Anthem. The fallout is yet to be known.

Say No to the School.
Many lower-education institutions ask for student and sometimes parental social security numbers for their records. The Civil Rights Division of the U.S. Department of Justice has made it abundantly clear that families have the right of refusal. If a school district requests a student’s social security number, they must inform both parent and child that providing the number is voluntary and that refusing to comply will not bar the child from enrolling or attending school. The school is additionally required to explain how the number will be used.

College is a whole different story. Students in higher education face the daunting specter of both the Common App and the Free Application for Federal Student Aid — aka, the dreaded FAFSA. The Common App, a standardized application for admission used by hundreds of institutions and millions of students, does not require a social security number if the applicant does not have one, i.e. foreign students. But sorry, they absolutely demand the information from American applicants.

FAFSA, as many families know, necessitates everything but a DNA sample. Expect to report social security numbers, along with mind-boggling minutiae of personal financial data on both the student and their parents — you have no secrets in the world of higher-ed. It’s impossible to overstate how disastrous a breach of the FAFSA database would be.

And that’s just the tip of the iceberg. By necessity, many other federal and state programs have access to social security numbers and sensitive financial information, particularly those that require income verification through the IRS — food assistance, like SNAP, comes to mind. Once again, it seems that those with the fewest resources are the most vulnerable. 

Michigan lawmakers had it right: The federal government must step up to protect citizens from identity theft. It’s time to stop using social security numbers where not absolutely necessary, and to mandate an absolute lockdown on databases that contain them.