The Utah Data Breach
This week the continuing saga of the Utah Medicaid Data Breach continued to unfold.If you haven't been following the story, here's the play-by-play:
- April 4 - State Agencies Investigate Data Breach - the Utah Department of Technology Services notified the Utah Department of Health that a breach on March 30, 2012 accessed 24,000 Medicaid claims. Michael Hales, the Health Department's Medicaid Director tells the Salt Lake City Tribune that "it's likely that few Social Security numbers were on the records as Medicaid clients have different identification numbers on their files."
- April 6 - Impact of Medicaid data breach on DTS server widens - oops. Did we say 24,000? It was actually 181,604 people, of which 25,096 had their Social Security numbers compromised.
- April 9 - Data Breach Expands to Include More Victims - oops. Did we say 181,604? It was actually 780,000 people, of which 280,000 had their Social Security numbers compromised.
- May 15 - Governor Gary Herbert Details Comprehensive State Response to Data Breach - Utah's Governor announces:
- A state-wide audit of every server on the state network, conducted by Deloitte & Touche
- Sheila Walsh-McDonald appointed Health Data Security Ombudsman (a new position)
- Director of the Department of Technology Services, Stephen Fletcher, resigns.
- The Salt Lake Trib reports that the server was likely hacked from Romania, and was hacked because a default password had not been changed.
- A state-wide audit of every server on the state network, conducted by Deloitte & Touche
That is an amazing story. Remember that Utah only has 2.8 million people according to the US Census. So in this single data breach 28% of the residents of Utah had their personal information stolen from them, and 10% of them had their Social Security Number stolen.
The good news, if there is any, is that Utah is now Very Serious about Identity Theft, launching its new IRIS: Identity Theft Reporting Information System in response. What will it take for the other states to get serious about identity theft?
What About Social Security Numbers?
The Utah story was only intended to be a vehicle for asking this question. What are we doing about Social Security Number theft? If hackers get your password, you can have your password reset. If hackers steal your credit card number, the bank will issue you a new one. If your bank account is breached, it is not uncommon to have the bank CLOSE your account and open a new account for you. But what if you the hackers steal your Social Security Number?
The first place that seemed reasonable to check was the Social Security website. They have a page about Identity Theft called Identity Theft and Your Social Security Number (SSA Publication No. 05-10064, ICN 463270, August 2009).
That form asks "What if an identity thief is creating credit problems for you?" and answers the question:
If someone has misused your Social Security number or other personal information to create credit or other problems for you, Social Security cannot resolve these problems.
They have several recommendations:
- Contact the Federal Trade Commission (FTC) or call 1-877-IDTHEFT (1-877-438-4338).
- Contact the IRS Identity Protection Unit (1-800-908-4490) if you think there may be tax issues, such as the identity thief filing a tax return using your number, or taking employment using your number.
- File a complaint with the FBI's Internet Crime Complaint Center (IC3.gov) which is the best course to engage law enforcement in your response.
- Apply for free credit reports. The federal government provides a free Annual Credit Report at AnnualCreditReport.com.
But read on . . . IT IS POSSIBLE to get a new Social Security Number, and Social Security will work with you to do that IF YOUR NUMBER IS BEING ACTIVELY ABUSED, but they warn that getting a new number may actually be worse than the abuse. For example, in the United States, the key to your credit history is your Social Security Number. If you get a new number, congratulations, you now have Zero Credit History. You won't be able to get a credit card or a loan without a lengthy ordeal or a co-signer.
So what is the answer? Despite all the controversy, it may be time to go back to the discussion of a National Identity Card. I visited Spain last summer and my banking security friends marveled at how the US clung to our antiquated system. They have a National Identity Card (DNI - Documento nacional de identidad) that is carried at all times. The chip in the card contains a digitized version of a photo of the bearer, plus a digital version of their signature and finger prints! There is no value to having only the Number -- my friend who was explaining it to me said you can write your number on your business cards, because there is NOTHING ANYONE CAN DO by simply having the number. It is the CARD that has value. If you have my number, but not the chip in my card, it is worthless to you.
I'd like to see this discussion move forward. If criminals don't already have your Social Security Number, it is certainly only a matter of time. Even if it is only a theoretical question right now, it is extremely likely that this question will be a personal matter to you or someone you love in the near future.
Especially if you live in Utah.