OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
REMOVING
SOCIAL SECURITY
NUMBERS FROM MEDICARE CARDS
May 2008
A-08-08-18026
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations,
we inspire public confidence in the integrity and security of SSA's programs
and operations and protect them against fraud, waste and abuse. We provide timely,
useful and reliable information and advice to Administration officials, Congress
and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
MEMORANDUM
Date: May 2, 2008
To: The Commissioner
From: Inspector General
Subject Removing Social Security Numbers from Medicare Cards (A-08-08-18026)
OBJECTIVE
Our objective was to determine the status of corrective actions the Social Security Administration had taken to address our recommendation regarding removal of Social Security numbers from Medicare cards, resulting from our January 2006 report, Hospitals' Use and Protection of Social Security Numbers.
BACKGROUND
Medicare, authorized by Title XVIII of the Social Security Act, is a health
insurance program for aged individuals and individuals with certain disabilities
or end-stage renal disease. To assist in the administration of this program,
the Centers for Medicare and Medicaid Services (CMS) issues identification cards
to Medicare beneficiaries. These identification cards display the individual's
SSN (Medicare Claim Number) or the primary wage earner's SSN, as shown in Exhibit
1.
Exhibit 1: Medicare Card
Although no single Federal law regulates overall use and disclosure of SSNs, the Social Security Act and the Privacy Act of 1974 contain provisions that govern disclosure and use of SSNs. Additionally, the Office of Management and Budget (OMB) issued a memorandum to Federal agencies on safeguarding against, and responding to, breaches of personally identifiable information, including SSNs. Federal agencies are required to reduce the volume of collected and retained personally identifiable information to the minimum necessary, including establishment and implementation of plans to eliminate unnecessary collection and use of SSNs.
Our 2006 audit identified vulnerabilities associated with displaying SSNs on medical related documents and identification cards. We recommended that SSA encourage CMS to remove SSNs from its identification cards and partner with them to develop an alternative identifier that met both agencies' needs. SSA agreed with the intent of our recommendation and stated it would work with CMS to ensure the SSN is protected from unnecessary and/or unauthorized disclosure.
To determine the status of corrective actions taken, we interviewed representatives
from SSA's Offices of Public Service and Operations Support and Disability and
Income Security Programs and CMS' Chief Operating Officer. We also contacted
several Federal agencies that have taken action to remove SSNs from identification
cards. See Appendix B for additional information on our scope and methodology.
RESULTS OF REVIEW
Despite the increasing threat of identity theft, CMS continued to display SSNs on identification cards it issued to Medicare beneficiaries. Displaying such information on Medicare cards unnecessarily places millions of individuals at-risk for identity theft. This is particularly troubling because CMS instructs individuals, many of whom are elderly, to carry their Medicare card with them when away from home. We do not believe a Federal agency should place more value on convenience than the security of its beneficiaries' personal information.
In response to growing public and congressional concern over unnecessary exposure of SSNs, CMS reviewed its practice of displaying SSNs on Medicare cards and provided Congress a report containing initial cost estimates and a potential approach for transitioning to a non-SSN Medicare identifier. CMS officials told us they had not received a response from Congress, and the Agency had no position regarding the removal of SSNs from Medicare cards. SSA responded stating it supported the goal of limiting the display of SSNs to reduce fraud and identity theft and outlined the financial and systems impact such a change would have on the Agency. Based on our previous audit and investigative findings, we know the unnecessary display of SSNs increases the potential for dishonest individuals to obtain and misuse them, creating SSN integrity issues. To help address the growing problem of identity theft, some Federal agencies have taken action to remove SSNs from identification cards. Because the subject of this report involves possible legislative and policy changes for CMS, we plan to provide a copy to the U.S. Department of Health and Human Services, Office of the Inspector General.
STEPS TAKEN TO REMOVE SSNs FROM MEDICARE CARDS
In its 2006 report, CMS outlined the timeframe and cost of transitioning to a non-SSN based Medicare identifier. Specifically, CMS estimated that moving to a non-SSN based beneficiary identifier would be an 8- to 13 year project that included a fixed 3-year preparation period. The estimated timeframe for changing all beneficiary identifiers would be no sooner than 5 years and no longer than 10 years. Total costs for implementing the change in 5 years after the preparation period was estimated to be over $300 million. CMS developed the report based on the assumption that it would be responsible for generating and assigning a new identifier that would only be used for Medicare business. If funded, CMS would assign each beneficiary a new, unique Medicare beneficiary identifier over time. As of September 2007, CMS had not received a response from Congress.
CMS officials told us they did not consider the report to Congress to be an in-depth study. They described the study as more of a cursory review and stated they would need to perform a more detailed study if Congress mandated CMS to remove SSNs from Medicare cards. CMS officials told us they were not opposed to removing SSNs from Medicare cards but questioned what identifier the Agency would use in place of the SSN. In fact, CMS officials told us they preferred that SSA develop a new identifier because it would be less costly. CMS officials told us they are only looking at potential options for replacing SSNs on Medicare cards and any selected approach would depend on the funding Congress provided and the length of time given to implement changes. CMS officials told us they had no position regarding the removal of SSNs from Medicare cards.
SSA commented on the report stating it supported the goal of limiting the display of SSNs to reduce fraud and identity theft. SSA also stated that systems changes, training for front-line employees and handling public inquiries would increase Agency costs. SSA estimated the 5-year costs to be about $30 million but expected CMS to reimburse the costs. Additionally, SSA stated it was imperative that the format of any new Medicare number be structured differently from the SSN and should be clearly identifiable, at a glance, as a non-SSN. SSA officials with whom we spoke told us they did not believe it would be appropriate for SSA to pursue its own legislation to require that CMS remove SSNs from Medicare cards. Officials told us they believed CMS could take action to remove SSNs from Medicare cards without legislation.
POTENTIAL RISKS ASSOCIATED WITH DISPLAYING SSNs ON IDENTIFICATION CARDS
CMS' display of SSNs on Medicare cards entails certain risks. Although there
are no data on the extent to which Medicare cards contribute to identity theft,
each time an individual divulges his or her SSN, the potential for someone to
illegally gain access to personal information increases. For example, many individuals
carry their Medicare cards in their wallets or purses and could become victims
of identity theft should dishonest individuals steal such items or lift their
Medicare number from a beneficiary card or medical document. In fact, instructions
on the back of Medicare cards direct individuals to carry the card with them
when they are away from home. This practice, according to the consumer advocacy
organization, Consumers Union, "is putting senior citizens at risk for
identity theft." Consumers Union further stated "there is no excuse
for leaving Medicare beneficiaries vulnerable to identity theft with a thinly
disguised Social Security number on their membership card." Consumers Union
relayed its concerns to CMS, pointing out that many commercial insurance companies
had taken steps to remove SSNs from identity cards and recommended that CMS
take similar steps to safeguard the identities of Medicare recipients. CMS informed
Consumers Union that it had considered removing SSNs from Medicare cards but
had no definite plans for doing so. In contrast, SSA recommends that individuals
keep their Social Security card in a safe place and not carry it with them unless
it is needed to show an employer or service provider.
In addition, the Government Accountability Office (GAO) has reported on the
vulnerabilities associated with the display of SSNs on identity and eligibility
cards issued under Government auspices. Specifically, GAO stated that cardholders
are often required to use their card at the point of service, which means a
practical need to carry and display it often, thus increasing the likelihood
for accidental loss, theft, or visual exposure. GAO concluded that continued
display of SSNs on identification cards presented a risk of identity theft.
SOME FEDERAL AGENCIES ARE TAKING STEPS TO REMOVE SSNs FROM IDENTIFICATION CARDS
Incidences of identity theft and the recognition that SSNs are linked to vast amounts of personal information have led some Federal agencies to remove SSNs from their health insurance or identification cards. For example, in September 2007, the Department of Veterans Affairs (VA) issued a report on its efforts to eliminate the unnecessary collection and use of SSNs. In its report, VA stated that new veteran identification cards no longer displayed SSNs. Additionally, VA removed SSNs from cards issued for its specialized health programs, letters, correspondence, prescription bottles, mailing labels, and billing statements. VA has also begun exploring new ways of identifying veterans and employees in its systems and processes. An official with VA's Office of Information and Technology told us VA prefers to take steps now to curtail the display of SSNs rather than wait for "the ultimate solution."
In the past few years, the Department of Defense (DoD) has reissued about 4.5 million health care cards that no longer display SSNs. A DoD official with whom we spoke told us it issues about 2 million new cards a year, and none of these cards display SSNs. In addition, DoD is moving forward with plans to develop new military identification cards that would protect the SSNs of approximately 10 million card holders.
The Office of Personnel Management directed all heath insurance carriers affiliated with the Federal Employees Health Benefit Program to eliminate SSNs from insurance cards as soon as financially practical. In making this policy change, the Office of Personnel Management acknowledged that SSNs can serve as a critical link in identity theft cases, identity creation, and other crimes. In the past few years, almost all health insurance carriers have removed SSNs from their health insurance cards. For example, a Blue Cross and Blue Shield of Texas official told us they removed SSNs from about 10 million insurance cards (for both Federal and non-Federal subscribers). Although Blue Cross and Blue Shield still uses SSNs internally, they developed a unique identifier for use on insurance cards and correspondence.
Recently proposed Federal legislation, if implemented, may help address the growing problem of identity theft. For example, the Social Security Number Privacy and Identity Theft Prevention Act of 2007 (H.R. 3046) would make SSNs less available to potential identity thieves by limiting use of the SSN as an identifier by government and business. Among other provisions, the proposed legislation would prohibit the display of SSNs on Government checks, employer-issued identification cards or tags, and Medicare cards. Until such legislation becomes law, we believe SSA should proactively work with CMS to lay the groundwork for removing SSNs from Medicare cards. Given the millions of individuals at-risk for identity theft and OMB's directive to eliminate unnecessary uses of SSNs, we believe immediate action is needed to address this significant vulnerability.
CONCLUSION AND RECOMMENDATIONS
Despite the potential risks associated with displaying SSNs on Medicare cards, CMS continues this practice. While we recognize SSA cannot prohibit CMS from using SSNs as its primary beneficiary identifier, we believe it can help reduce the potential threats to SSN integrity by taking a proactive role in supporting legislation that would mandate the removal of SSNs from Medicare cards. We recognize that such legislation could be inconvenient for both agencies and may result in additional costs. However, given the potential threats to SSN integrity, such a challenge should not discourage SSA from taking additional steps to safeguard SSNs.
Accordingly, we recommend that SSA:
1. Proactively work with OMB and Congress to expedite the removal of SSNs from Medicare cards in a manner that ensures compliance with Federal guidelines and consistency with approaches taken by other Federal agencies.
2. Continue to partner with CMS to develop an alternative Medicare identifier
that meets both agencies' needs.
AGENCY COMMENTS
SSA agreed with our recommendations. The Agency's comments are included in Appendix C.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Acronyms
APPENDIX B - Scope and Methodology
APPENDIX C - Agency Comments
APPENDIX D - OIG Contacts and Staff Acknowledgments
Appendix A
Acronyms
CMS Centers for Medicare and Medicaid Services
DoD Department of Defense
VA Department of Veterans Affairs
GAO Government Accountability Office
OMB Office of Management and Budget
SSA Social Security Administration
SSN Social Security Number
Appendix B
Scope and Methodology
To accomplish our objective, we
interviewed representatives from the Social Security Administration's (SSA) Offices of Public Service and Operations Support and Income Security Programs;
interviewed the Chief Operating Officer for the Centers for Medicare and Medicaid Services;
interviewed the following representatives from the Department of Veterans Affairs: the Associate Deputy Assistant Secretary for Privacy/Records Management and the Director of the Health Eligibility Center;
interviewed a representative from the Department of Defense's Defense Manpower Data Center;
interviewed a representative from the Office of Personnel Management's Insurance Services Program;
interviewed a representative from Blue Cross and Blue Shield of Texas to discuss their move to a non-SSN based identifier on health cards; and
contacted the Federal Trade Commission's Division of Privacy and Identity Protection to determine if they maintained statistics on incidents of identity theft resulting from SSNs on Medicare cards.
The SSA entity reviewed was the Office of the Deputy Commissioner for Operations. We conducted this performance audit from July through November 2007 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Appendix C
Agency Comments
MEMORANDUM
Date: April 15, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "Removing Social Security Numbers from Medicare Cards" (A-08-08-18026)--INFORMATION
We appreciate OIG's efforts in conducting this review. Our response to the report findings and recommendations are attached.
Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "REMOVING SOCIAL SECURITY NUMBERS FROM MEDICARE CARDS" (A-08-08-18026)
Thank you for the opportunity to review and comment on the draft report. We appreciate the report's acknowledgement that we have taken preliminary steps to assess the impact and costs involved with removing Social Security numbers (SSN) from the Medicare card. However, as the report also indicates, we cannot mandate that the Centers for Medicare and Medicaid Services (CMS) utilize an alternative identifier. We take seriously our responsibility to safeguard SSNs and prevent improper release of personally identifiable information (PII) and will continue to work with CMS to ensure SSNs are protected from unnecessary and/or unauthorized disclosure. Our responses to the specific recommendations are provided below.
Recommendation 1
Proactively work with the Office of Management and Budget (OMB) and Congress to expedite the removal of SSNs from Medicare cards in a manner that ensures compliance with Federal guidelines and consistency with approaches taken by other Federal agencies.
Response
We agree that removal of SSNs from the Medicare cards will reduce fraud, identity theft, and the improper release of PII. Congress has been very active in the area of PII as it pertains to theft. OMB has established PII policies to assure that Federal agencies safeguard the personal information they manage. We will be glad to work with Congress, OMB, and CMS to develop steps necessary to carry-out this recommendation. We agree that removal of SSNs from Medicare cards would reduce opportunities for fraud, identity theft, and improper release of personally identifiable information (PII). As stated in the report, SSA estimates that the 5-year cost for systems changes, training for front-line employees, and handling public inquiries, would increase Agency costs by $30 million. In order to carry out the recommendation, SSA would need this additional funding.
Recommendation 2
Continue to partner with CMS to develop an alternative Medicare identifier that meets both agencies' needs.
Response
We agree that an alternative Medicare identifier would meet both agencies'
needs. Although CMS would be the lead for any effort to identify, select, and
implement an alternative identifier, we look forward to working with CMS to
develop this identifier. In the interim, we will continue to work with CMS to
ensure SSNs are protected from unnecessary and/or unauthorized disclosure.
Appendix D
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kimberly A. Byrd, Director, 205-801-1650
Jeff Pounds, Audit Manager, 205-801-1606
Acknowledgments
In addition to those named above:
Charles Lober, Senior Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A 08 08 18026.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Chief Counsel to the Inspector
General (OCCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.