GAO: Medicare ID Cards a Fraud Risk Report Calls for Removal of Social Security Numbers

Citing concerns about identity theft risks, a new Government Accountability Office report urges the Centers for Medicare and Medicaid Services to step up its efforts to remove Social Security numbers from Medicare beneficiaries' identification cards.

See Also: How to Anticipate Breaches & Prevent Data Loss: Avoiding the Fate of OPM

The report cites several previous studies conducted by CMS that looked into potential ways to remove Social Security numbers that are displayed on Medicare cards and the potential costs of the IT systems work involved. But despite those studies, the agency has not yet taken key steps to implement a plan, the GAO notes.

Although CMS agrees with the GAO's recommendations for action, it states in its comments that "a clear source of funding for both IT and non-IT activities associated with SSN removal would need to be identified before proceeding."

In addition, CMS says it would also need agreement from some other agencies, including the Social Security Administration, before proceeding with a project to remove the SSNs.

Stephen Morreale, a former Department of Health and Human Services fraud investigator, says removing Social Security numbers from Medicare cards is critical to efforts to prevent ID theft and fraud.

"This is long overdue. The government is slow to move," says Morreale, who is chair of the criminal justice department at Worcester State University. "I see the need to use Social Security numbers for the verification of an identity, but [we need to] remove those numbers from the cards, or at least truncate the numbers to use only the last four digits. These numbers should not need to be presented by beneficiaries to healthcare providers; they should be stored and protected in the systems that process these transactions."

GAO Recommendations

The report recommends that to get the ball rolling on the effort to remove SSNs from Medicare cards, CMS should identify, develop and implement the changes needed to affected IT systems and designate a "business owner" responsible for the project. It recommends the project be incorporated into a larger CMS IT modernization initiative that's under way.

The GAO report notes that certain other federal agencies, including the departments of Defense and Veterans Affairs, already have stopped displaying SSNs on ID cards. For example, in June 2011, DoD completed efforts to replace almost 10 million military identification cards that had SSNs printed on them with cards that stored the numbers in bar codes. In November 2004, the VA completed a project aimed at replacing almost 8 million cards that contained the printed numbers.

Both agencies, however, are now working to also remove the numbers from the barcodes and magnetic stripes on the cards by 2016. That's because advancements in technologies, such as barcode readers on smart phones, make the embedded numbers vulnerable to fraud threats as well.

Long History

Since 2006, CMS has conducted three studies on potential approaches to replacing the SSN-based Medicare identifier on beneficiary cards. CMS also issued reports to Congress on the results of those studies in October 2006, November 2011, and May 2013.

"However, while each of the studies addressed, at a high level, the impact of various approaches on CMS's IT environment, they were not intended to identify a specific technical solution for removing SSNs from cards," the GAO report says.

For instance, the 2006 study was initiated in response to congressional concerns regarding identity theft and the use of SSNs on the cards. A study in 2012 looked at estimated costs to remove SSNs from the cards.

The 2013 study pursued cost estimates that were more reliable than those in the 2012 report. The GAO report notes that information collected during the 2013 study "could be leveraged to support a future IT project to address SSN removal. ... [However], the agency's chief information officer has not received direction from CMS's leadership to submit a proposal for an IT project that would lead to the identification, development, and implementation of a technical solution."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network