Blue Shield Leaks 18,000 Doctors' Social Security Numbers

itwbennett (1594911) writes "The Social Security numbers of roughly 18,000 California physicians and health-care providers were inadvertently made public after a slip-up at health insurance provider Blue Shield of California, the organization said Monday. The numbers were included in monthly filings on medical providers that Blue Shield is required to make to the state's Department of Managed Health Care (DMHC). The provider rosters for February, March and April 2013 included the SSNs and other sensitive information and were available under the state's public records law." Ten copies were requested under the public records law.

Good news though

With so many SSNs leaked, the odds of a criminal picking yours are getting worse all the time!

Re:Good news though

[rmdingler]

Indeed. Perhaps picking up a couple of spares is the only sane defense now.

Re:Good news though

Besides, one day when you are old, the extra security payments from the spare SSNs will come in handy.

Re:Good news though

[NotDrWho]

Maybe at some point after they're all finally out companies, agencies, colleges, etc. will finally realize that using SSN's as their unique identifiers of choice is dangerous.

Re:Good news though

Using SSN as an identifier isn't really the problem.

It's that they want it to be BOTH the public identifier AND the private password.

If it is just an identifier, you should be able to use it publicly - but the whole idea is that you need to guard it and keep it secret because they are treating your knowledge of it as proof that you actually belong to the account is where the problem arises. Either it is just a record number, in which case it shouldn't be a secret - or it is your password, in which case you should have a public record number that isn't secret.

Re:Good news though

[leonardluen]

it wouldn't be an issue if the SSN didn't have to be kept secret. there should be an easily changeable pin that goes with the SSN that you use when you need to apply for a loan or something.

or treat it more like credit card numbers and make it easier to get a new one if it becomes public.

another option issue one time use numbers like some credit card companies do.

there isn't necessarily anything wrong with having a unique identifier for people. the current implementation however is the problem.

Re:Good news though

[cayenne8]

This was my first thought, WTF are they using SS on this type of report at all?!!?

I mean, if they need a record of the physician's business, why not use the Federal Tax ID? Why in the world would anyone give out a SS number in this day in age for anything besides something that is directly related to SS transactions (taxes, payments, etc)?

I don't give my SS to anyone except the bank and for SS tax purposes. My last power company tried to insist I give it to them, when I asked WTF they needed this for simply connecting power they said for a 'credit check'. I talked further and found out they'd take a deposit in lieu of this and that's the road I took. I got the deposit refunded about 6mos later I think.

But seriously, there not a THING these days that should or does require a SS# to be given. However, sometimes, sadly, you DO need to be persistent in your insistence that they don't need it. Speak to a mgr or two if need be, but don't' give it out.

Re:Good news though

[jbmartin6]

That is how the SSN was originally meant to be used. But then along came a need for a global UID for people and whoosh all the promises went out the window. I will try the deposit route though next time I encounter that situation.

Re:Good news though

exactly, was *supposed* to actually be 'against the law' to use it for non-SS purposes: they DEFINITELY foresaw the abuse and potential for the dreaded 'national ID' situation, which is why they DEFINITELY proposed it as a non-universal, strictly limited ID....

Re:Good news though

[Traze]

How trite. A Faux News watcher that hasn't heard how backwards and blatantly untrue this sentiment is.

Re:Good news though

[Traze]

An authenticator in this day and age makes sense to connect to SSNs.

Re:Good news though

[ShanghaiBill]

if they need a record of the physician's business, why not use the Federal Tax ID?

Unless the doctor is incorporated, the SSN is the tax id.

Why in the world would anyone give out a SS number in this day in age for anything besides something that is directly related to SS transactions (taxes, payments, etc)?

They didn't. The gave out their SSN because this is directly related to SS transactions. The doctors receive payments from the insurance company, and those payments must be reported to the IRS on a 1099 form, and that must include the tax id, which is the SSN.

Anyway, I see leaks like this as a good thing. The sooner everyone's SSN is public, the sooner we move away from the idiotic notion that the same number should be used for both identification and authentication, and thus must be simultaneously both widely known and secret.

Re:Good news though

[cyberchondriac]

How trite, another "faux news" comment

Re:Good news though

If mocking a propaganda outlet, and the people it fills with derp that they regurgitate on the web, inappropriate in some way? How do you deal with idiots who can't even comprehend that they are idiots?

Re:Good news though

Yep, this is exactly the problem.

SSN's aren't passwords and can never be kept secret (you're required to disclose them to your employer). They're designed to be a user key for the Social Security tax database. The use of knowing an SSN as proof of identity is asinine.

Re:Good news though

How do you deal with idiots who can't even comprehend that they are idiots?

Laugh and point.

Re:Good news though

[cayenne8]

Unless the doctor is incorporated, the SSN is the tax id.

Err, if the said Dr. is in business and is not incorporated, he's quite a fool.

They didn't. The gave out their SSN because this is directly related to SS transactions. The doctors receive payments from the insurance company, and those payments must be reported to the IRS on a 1099 form, and that must include the tax id, which is the SSN.

Err, no. there is NO place to fill out SS on a 1099 payment. That is precisely where you have and use your TIN (Tax Identification Number), You only give your SS on your Personal tax forms at EOY in that situation.

No, there is no valid reason a Physician should be giving out his personal SS for a business transaction, especially if it is a 1099 and NOT a W2 type form. Taxes are NOT taken out of 1099â¦.you are responsible for that on your own at EOY.

he sooner we move away from the idiotic notion that the same number should be used for both identification and authentication, and thus must be simultaneously both widely known and secret.

ON this I heartily agree.

Re:Good news though

Indeed. Perhaps picking up a couple of spares is the only sane defense now.

Except the SS system can't handle such distribution. As it stands, the numbers are limited to 9 digits and there is a system like the first group is the hospital.

It wouldn't take much to guess numbers.

Re:Good news though

[cyberchondriac]

That's an arrogant point of view. Who are you to judge who's an idiot? And MSNBC is certainly no less biased, and both CBS and NBC have been caught either lying (Dan Rather) or editing/doctoring tapes (as in the Trayvon Martin case).
All the news media are becoming cartoonish extravagances of yellow journalism, but it's trite when when someone feels they must proselytize their bias by attacking selective news sources when news sources weren't a prior part of the conversation; besides, it's just a leftish mantra to be parrotted, no actual thought required. Fox News is not as bad as the strawman lefties make it out to be, but because it gives "those other guys" a strong voice, and it's popular in the face of it's competition, it must be attacked at all costs and at every available opportunity. It just smacks of desperation.
People have been saying that SS is going to be gone before they retire for years, and the danger is real; under Bush, no one challenged that claim, but now suddenly it's just derp?

Re:Good news though

[mpe]

Maybe at some point after they're all finally out companies, agencies, colleges, etc. will finally realize that using SSN's as their unique identifiers of choice is dangerous.

Using them as identifiers isn't actually that bad. Though it's a bit daft not to be able to come up with employee/student/etc numbers.
The problems come trying to use them as AUTHENTICATORS. As well as the daft idea that only you know your own "name"...

Re:Good news though

[MyGirlFriendsBroken]

I don't give my SS to anyone except the bank and for SS tax purposes. My last power company tried to insist I give it to them, when I asked WTF they needed this for simply connecting power they said for a 'credit check'. I talked further and found out they'd take a deposit in lieu of this and that's the road I took. I got the deposit refunded about 6mos later I think.

These companies really don't need it. When I setup my cable, electric etc. I didn't have an SSN, it takes time to get one when you are an immigrant. As soon as they learned I just didn't have one then they went down an alternate procedure. I think in the end I only had to leave a deposit with the cell phone company, everyone else just connected me.

This can be a pain down the line when trying to deal with these companies over the phone though as everyone wants the last 4 digits of your social as part of their authentication process.

Re:Good news though

MSNBC is worse because they think they smart and right

Re:Good news though

[dlt074]

Err, no. there is NO place to fill out SS on a 1099 ayment. That is precisely where you have and use your TIN (Tax Identification Number), You only give your SS on your Personal tax forms at EOY in that situation. No, there is no valid reason a Physician should be giving out his personal SS for a business transaction, especially if it is a 1099 and NOT a W2 type form. Taxes are NOT taken out of 1099æ.you are responsible for that on your own at EOY.

when receiving 1099 income, the issuer of the pay, is supposed to report that income to the IRS. how are they supposed to report it without a SSN or TIN? which is why people who get paid via 1099 usually have to fill out a W-9. which does take a SSN or TIN. your choice. the IRS will default people to a sole proprietor status when they do not incorporate. it is perfectly legit to use your SSN for business purposes. remember the tax system is set up so that there is no right answer 100% of the time. this is to ensure they can always stick it to you when they need to and that nobody ever really knows what's going on and lives in constant fear of being caught.

Re:Good news though

[ShanghaiBill]

Err, no. there is NO place to fill out SS on a 1099 payment.

This is just flat out wrong. Have you ever actually seen a 1099? If you are paying an individual, the SSN is the tax id, and must be listed on the form. If you are paying a corporation, then you don't use a 1099.

Re:Good news though

[kwbauer]

Yup, win a prize worth more than $600 from the radio and such and you won't receive it until you've filled out the 1099 related paperwork that requires you to give yuour SSN. Win more than $600 at the casino or in something like a dart tournament and the same thing happens?

Oh, and as far as end-of-year payments... Coming up quite short on all that excess income will result in some penalties, the least of which is requiring you to file quarterly estimated payments. In other words, if you have a lot of taxable income not subject to withholding, you better be making some mid-year payments or adjusting the withholdings to account for it or you will be required to file and remit quarterly payments the following year.

Re:Good news though

[cayenne8]

I think you missed the part where I mentioned the TIN.

Any smart Dr will be incorporated and use a TIN for tax purposes, not a SSN.

Re:Good news though

[cayenne8]

This is just flat out wrong. Have you ever actually seen a 1099? If you are paying an individual, the SSN is the tax id, and must be listed on the form. If you are paying a corporation, then you don't use a 1099.

Not so, I contract, I am an individual working for my own S-corp.

I have never given out my SSN when being paid 1099 through my company.

I give out only my TIN, they pay me with checks, and at EOY I get a 1099 from them for my tax purposes.

Not such a big problem

When you consider that most doctors are broke and teetering on the brink of bankruptcy, nobody would want to steal their identities anyway.

Re:Not such a big problem

Correction: Most newly graduating and practicing doctors. Established doctors make good money, the lowest average being around 150k year. I don't feel for doctors in general because they are making tons of money off the backs of sick patients. It's time to end for-profit medicine and move to a sane single-payer system. The only thing stopping this is the love of money. Things should be like the military or government, where the medical schools are run by the government and doctors graduate with no debt, but are required to give the government 10 years of service in lieu of tuition. They would get promoted based on time in grade and time in service. They would receive sane salaries like military doctors. It's beyond time to remove the incentive of money for good treatment.

Re: Not such a big problem

That's the dumbest thing I've read. No, they are getting paid for their service and the hard road it took then to get there.

Re: Not such a big problem

[Traze]

They also pay an arm and a leg for malpractice insurance, that would become obsolete with a single payer system. I have an uncle that's an OBGYN, and he pays roughly 400k a year in malpractice insurance.

Re:Not such a big problem

[NatasRevol]

And that won't lead to worse kick backs from drug companies than are already happening with doctors making $200k-$500k a year?

Riiiiight.

Re: Not such a big problem

[bugs2squash]

That seems unlikely to me unless there are special circumstances.

Re: Not such a big problem

[Sentrion]

Physicians tend to partner up with other professionals, like lawyers, bankers and CPAs when they start their own private practices. Many established physicians ARE going broke and filling for bankruptcy after getting drawn too deep into the business side of medicine. Instead of keeping focus on patient treatment, many physicians have their entire life savings linked to the profitability of their practice, which has more to do with negotiating the best deals for insurance reimbursement, malpractice insurance, building leases, utilities, and capital expenses such as X-ray, EKG, or sonogram machines. The bankers and lawyers structure things so they have the lion's share of ROI while the physician is personally exposed to the most liability. Then they have lawyers, bankers, limited partners, and shareholders pressuring them to be more "profitable", which means cutting face time with patients from 15 minutes to 10 minutes, prescribing drugs from suppliers that will pay back "incentives", referring to other specialists and facilities that offer kickbacks, separating physician fees from facility fees to juice more from insurance, performing more tests than necessary to defend against liability while receiving more reimbursement from insurance and medicare, performing sneaky out-of-network or uncovered services on unsuspecting patients with deep pockets, and more frequently flat-out defrauding medicare, medicaid, and private insurance companies.

Patients and physicians both would benefit from either a single-payer system like the UK and Canada have, or a maybe a public-private system like Australia has, where those willing to pay more direct or willing to buy commercial insurance can be treated by private physicians rather than publicly employed physicians, just like we have public and private schools in the US. In the US we actually have a shortage of physicians, especially if we are going to start covering care for more of our poor and working class. Yet many excellent candidates are not admitted to medical school because only the cream of the cream were selected. There are also many qualified physicians educated in Europe and Asia that cannot EVER practice in the US simply because they didn't get their degree here. Direct government investment in programs to train and certify physicians without forcing them into hundreds of thousands of dollars of unforgivable student loan debt would be a benefit to aspiring physicians and patients alike. Direct government assumption of financial liability and discipline of physicians would free physicians to earn an honest and comfortable living while providing patient care that serves the interest of the patient.

Gradually shortening the terms of pharmaceutical patents and finding more cures and treatments through non-profit, grant-funded, university research would help to substantially lower the family burden when it comes to the cost of care. At the end of the day it is the scientists putting in 80-120 hours each week that makes cures possible, and even those scientists working for Big Pharma are not raking in the dough compared to the executives, lawyers, and pharma sales reps. Scientists are not paid any less at the University level so the argument of profit incentive is rather mute.

Re: Not such a big problem

[Luckyo]

I imagine state of current US court system qualifies as "special circumstances".

Re:Not such a big problem

[TheMeuge]

Correction: Most newly graduating and practicing doctors. Established doctors make good money, the lowest average being around 150k year. I don't feel for doctors in general because they are making tons of money off the backs of sick patients. It's time to end for-profit medicine and move to a sane single-payer system. The only thing stopping this is the love of money. Things should be like the military or government, where the medical schools are run by the government and doctors graduate with no debt, but are required to give the government 10 years of service in lieu of tuition. They would get promoted based on time in grade and time in service. They would receive sane salaries like military doctors. It's beyond time to remove the incentive of money for good treatment.

Just like bakers, farmers and chefs. They make money off the backs of HUNGRY people. It's time to end for-profit food-making and move to a sane single-payer system. Things should be like the military or government, and they would receive salaries. It's beyond time to remove the incentive of money for good treatment.

See what I did there?

Re: Not such a big problem

[rjstanford]

I knew an ObGyn who retired shortly after being sued for $BIGNUM for delivering a baby with a clubfoot - a genetic defect. His insurance company refused to fight and wanted to settle for $MEDIUMNUM instead. Thing is, they would then raise his rates significantly. If he chose to fight the case in court and lost, they wouldn't cover any damages since they'd offered to settle it for him. Heads they win, tails you lose.

Re:Not such a big problem

[kwbauer]

Oh, we could go even further and mention programming and IT work. We'd get even closer if we mentioned basement dwelling as an occupation.

Using SSN?

[mwvdlee]

How could a criminal use SSNs anyway?
What types of scam/hack/crime would be possible?

Re:Using SSN?

Identity theft, employment under false pretenses, a whole bunch of stuff.

Doctors' SSNs are worth a LOT, because pretty much every doctor in the US makes a high six-figure income (at least).

Re:Using SSN?

[f00zy]

SSNs, like passwords, need to die. They are a relic that doesn't work anymore.

Re:Using SSN?

[timrod]

They can use SSNs for ANYTHING, which is what's so scary about having yours stolen. They can open credit cards, take out insurance policies, even look for jobs in your name. Essentially, an SSN is a person's identity.

Re:Using SSN?

[plover]

While I don't want to provide a detailed how-to, it goes something like this:

1. Go to store.
2. Fill cart with TVs and other expensive goods.
3. Wait for cashier to ask "would you like to save money by opening a credit card?"
4. ???
5. Profit.

Re:Using SSN?

I'm pretty sure at this point that at least half the population's SSNs have been leaked in the past ten years.

Re:Using SSN?

[drinkypoo]

Someone got a car under my SSN using a check cashing card as proof of identity. They didn't even have any documents with the SSN on them, except a check cashing card.

Re:Using SSN?

[CaptainDork]

I don't see this as a SSN problem; it's more a greed problem on the part of the seller, who failed to enforce due diligence.

Re:Using SSN?

[Charliemopps]

They can use SSNs for ANYTHING, which is what's so scary about having yours stolen. They can open credit cards, take out insurance policies, even look for jobs in your name. Essentially, an SSN is a person's identity.

Right... the problem isn't SSNs, or even the security of them... it's the fact that creditors will ruin your credit over the internet with nothing more than a 9 digit number and having never met you in person or even mailing you a letter. The majority of SSN fraud is done on the SSN of people who are dead. And not like "died last month" as in, dead for decades or even longer. The creditors don't even check to see if you're still alive before issuing a loan. There are more rigorous checks on your identity when you sign up for an online game than there are for getting a $50k loan. It's nuts.

Re:Using SSN?

[drinkypoo]

I don't see this as a SSN problem; it's more a greed problem on the part of the seller, who failed to enforce due diligence.

He didn't just fail to enforce due diligence, his intent was to sell the car to someone not entitled to buy it, so that he could get a judgement. You can borrow against owed debt. It's all a very well-known scam.

Re:Using SSN?

[Bobberly]

One would think that the fix would be for SSNs not to be the sole source for opening new accounts and such. Kinda ironic that the the credit card companies are the ones causing this problem by not requiring better proof of identity. Then again the State of Florida does the same thing. They ask for SSN when filing for property tax exemption for no other purpose than to make sure you didn't file somewhere else as well. Really it just makes for an easy SELECT SSN GROUP BY SSN HAVING COUNT(*) > 1 query to find where someone is in the system twice.

Re:Using SSN?

[Jason+Levine]

With a person's name, SSN, and date of birth (somewhat easy to obtain), you can steal that person's identity and open lines of credit in their name. Add in address (pretty easily obtained) and you can do a lot of damage to their credit - while racking up thousands in purchases to enjoy. I wish I could add the caveat that you'd only enjoy this stuff until the police arrested you but many identity theft cases don't result in arrest because 1) the local police are unprepared to investigate online crimes that span multiple districts/states/countries, 2) the local police don't want to spend resources on an investigation that will just lead to another district having jurisdiction/getting the arrest credit, 3) the federal authorities only care about your case if it is big enough. A single credit card opened in your name will get shrugs from them.

Re:Using SSN?

[kwbauer]

Exactly how can you steal someone's identity? Aren't they still there? Don't their friends still know them? This just makes no sense.

Re:Using SSN?

[Jason+Levine]

The person took my personal information (from where I'll never know) and opened a credit card in my name - in other words, using my identity. This damaged my credit rating. Granted, it wasn't damaged as bad as it could have been, but that's like saying someone took my car for a joyride one night and brought it back with just a dented fender.

Other people who have had their identity stolen haven't been as lucky as I was. The thieves can make off with thousands of dollars worth of merchandise in a couple of days/weeks and the person won't find out about it until the collection agencies come calling for payment. Then, it can take months or years to get your credit rating back to where it was pre-identity theft. In the meantime, you might not be able to get loans that you need or credit cards that you'd like to open. So you can be deprived of access to things you would have had access to had your identity not been stolen. (Lest anyone try arguing that you still have full access to your credit rating the same as if the identity theft never happened.)

Also, if criminal identity theft occurs - criminal is arrested and gives your name/SSN/DOB - you could wind up on police watch lists for years which is a whole other kind of hell. Profiled because you are "a known felon." Failing background checks because of the crimes "you" committed, etc. Even if the error is obvious (wrong skin color, alibi about where you were when "you" were arrested, etc), purging it from the police systems takes years of effort. One system left with the error will start flowing it back to the other systems and start the process all over again.

So it's not that you lose all access to your identity, but rather that your identity becomes tarnished and damaged and it can take you a lot of time, money, and effort to fix it.

Re:Using SSN?

[kwbauer]

Yes, I get it that and kind of now regret my smart-ass comment. It was kind of trollish. I wanted to see how others might compare identity theft to IP theft. To me, they are very similar.

Identity Theft

[Jason+Levine]

I've been through identity theft. It's not fun. And I was lucky enough to catch it quick enough that little damage was done. Capital One approved a card for "me" based on an online form where the thieves had my name, address, DOB, and SSN. Mother's maiden name was wrong, but that didn't stop the approval process. The thieves paid for rush delivery of the card and then changed the address on it. This meant that the card was sent to me BEFORE the address change went through. If this hadn't happened, I would have only known about it once the bill collectors came barging down my door.

On a side note: Capital One was not helpful at all. They stonewalled both me ("If we tell you the address on the card and you go and kill the person, we're liable" = what they actually told me) and the police (gave them a phone number linked to an answering machine and never called back). The combination of their approval of the card, missing all of the red flags along the way, and refusing to help beyond canceling the card means Capital One will NEVER be "what's in my wallet."

For those who think they have bad credit and thus wouldn't be victims, it doesn't take much. Remember, the thieves don't care about whether you can pay back the bills they are generating. All it takes is one credit card company to approve a card and they'll tear through the balance leaving you with thousands in debt that you'll need to prove wasn't your doing. In addition, there's another form of identity theft where a criminal is arrested and gives your name/SSN/DOB instead of their own. Then your name goes into the police databases and you'll be harassed as an assumed criminal. Removal of your name can take years during which time you'll flunk any background checks.

There's no protection that I know of from the latter form of identity theft, but you can freeze your credit to protect against the former. This means that nobody - not even you - can open new lines of credit unless you first thaw the credit files. The downside is that you need to pay to freeze and for each thaw. The upside is that you have a handy retort for all of those "You can save $5 if you open up a credit account with us" offers at the cash register. "No, thanks. My credit file is frozen." I've found these people stop their sales push the minute they hear you were a victim of identity theft. (I don't think that's in the script they are supposed to read to customers. ;-) )

Re:Identity Theft

In Sweden we use our SSN (equiv) for almost everything. We do not expect it to be secret. Also all mail from creditors are always sent to our registered adress. So while we still have identity theft it's much harder for the thieves to actually rerout packages containing credit cards. Rather they often need to steal the package from the mailbox (which can be hard in condos/appartments). I don't really see how the companies considering the SSN to be secret will help anyone. If just everyone assumes that all SSNs are public then other better kinds of identification can be used (like photo ID and registered adress).

A common way to fake an identity here is to steal a real identity card and then trade it with other criminals untill it ends up in the hands of someone who looks similar.

Re:Identity Theft

***"The upside is that you have a handy retort for all of those "You can save $5 if you open up a credit account with us" offers at the cash register. "No, thanks. My credit file is frozen." I've found these people stop their sales push the minute they hear you were a victim of identity theft."

Yeah, because it's so hard to say 'No. Thanks.' Better to look like a douch with bad credit.

Re: Identity Theft

The US and most other English speaking countries do not have "registered addresses". And this is a good thing

Re:Identity Theft

The upside is that you have a handy retort for all of those "You can save $5 if you open up a credit account with us" offers at the cash register. "No, thanks. My credit file is frozen."

Or you could pay for some therapy sessions to reduce your codependency, thus allowing you to say, "NO" without worrying that you're going to hurt the cashier's feelings, or overcome your fear of confrontation.

Re: Identity Theft

The US and most other English speaking countries do not have "registered addresses". And this is a good thing

That's not true, when you register to vote you give them an address which determines you polling place and in what local elections you are eligible to vote.

Captcha: papers

Re:Identity Theft

[Blue+Stone]

So, pretty clearly, there is a huge problem with SSNs being used in the USA as both identifier and authenticator. And this has been know for years, and many people have suffered as a result of this really really stupid system, whose flaws are obvious to everyone using the system.

So how long will it take to get something changed?

Re:Identity Theft

[Jason+Levine]

Sadly, I don't think this will be changed anytime soon. Identity theft doesn't really hurt credit card companies or credit agencies. The credit card companies just close the card and write off the fraudulent purchases. At best. At worst, they'll send collection agencies after you for years until you prove that "you" wasn't really you. (The credit card company in my case had various "suggestions" as to what happened including that my wife opened the account with my information without my knowledge. Finally, since my wife was right there and denied it, they conceded the fraud.) Even if they have to admit the fraud, they can push the charges back on the retailers or just eat the few thousand dollars.

Credit agencies, on the other hand, make their money by selling information about people. (They hate that my credit is frozen because they can't sell my information. ) To them, identity theft is a non-issue. So more people are opening lines of credit on your credit file? Who cares. They'll just adjust your credit score accordingly and demand mountains of proof if you claim that items on your credit report aren't from you. After all, they wouldn't be on your credit report if they weren't yours and they are on your credit report so that means they are obviously yours. There was a bill in Congress at one point to let people freeze/thaw their credit files for free, but the credit agencies lobbied to kill it. Because when the interests of ordinary citizens and giant credit agencies collide, they with the most money (aka the big credit agencies) win.

The businesses who need to change their practices won't do it on their own because identity theft doesn't really hurt them. Meanwhile, the government won't act to force them to change thanks to lobbyist pressure.

Re: Identity Theft

[rjstanford]

Well, yes and no. Its a good thing "in theory" but turns out to be dreadfully inconvenient in practice, just as having an official registered address is a bad thing "in theory" but turns out to be totally reasonable in practice. Its not as you haven't already provided an address to various government agencies for your drivers license, income tax, etc...

Re: Identity Theft

[kwbauer]

Yeah, like that is really verified. Just google "voter registration" to find out why that can't really be considered valid in the US. Yes, we really do have a major political party that has dedicated itself to the notion of allowing anyone to vote, regardless of eligibility (citizenship).

I used to work for one of the subsidiaries of Blue

I used to work for one of companies that lives under umbrella of BlueCross BlueShield (the biggest one) as IT contractor.

Somehow, I am not surprised by the leak. Office of Information Security department was located next my office. People who worked in Info Sec, had no knowledge of security. More or less, it was managerial type of work. They knew is how to use security software, that was often outdated.

Funny part, Info Sec was responsible for keeping up with browsing habits of employees. So, one day, me and couple other guys were looking at boats on the internet. All of the sudden, one of the Info Sec officers rushes into our office, yielding at us: "Stop watching boats on the internet"
Apparently, word "boats" triggered alarm call at the Info Sec. Info Sec has Zero Competence.

Wasn't there an old joke:

[fredrated]

to screw up is human, to really screw up requires a computer.

Another example

[Virtucon]

Another example of why stupid people shouldn't be left in charge. These folks are responsible for managing billions of dollars in health care premiums and payments and a failure in data management policies has lead to a breach. I'm sure they'll just offer the poor doctors "Lifelock" for a year. No wonder our healthcare system is so fucked up.

Re:Another example

Another example of why stupid people shouldn't be left in charge.

Blame the IT Schlubs.

There is no reason--none!--why SSNs should be accessible to anyone without specific need. This is why you use a real database with stored procedures (written by competent devs) that prevent unauthorized selection of restricted columns.

Think of it as a "sudo" for sql. When using the regular reporting account, SELECT * doesn't return any restricted columns* (they don't even show up). One would need to log in to a special account to get those.

* A REAL dev would disallow SELECT * completely.

social security number?

I thought only the internal revenue service, credit card companies, banks and employers need a persons SSN. Why does the health care industry need it? Do they perform credit checks or something?

Re:social security number?

[kwbauer]

The health care industry was the employer. Did you really think that it was just a major coincidence that only those patients who were also doctors had their SSNs leaked?

Monthly filing

[PPH]

I'm going to guess that these filings are done electronically. And that the information provided must fit some sort of pre-arranged schema. Back in the old paper days, a form with labeled fields to be filled out. So if some moron ran a SELECT * to populate the report, the state should have rejected it as not being filled out properly.

Or is this one of these reports that the state requires but never uses? Something that has been done by tradition but everyone has forgotten about the reasoning behind it. So it just gets filed (and posted to a public server these days) with no further thought.

WHY is Social Security information, or indeed ANY

[johnwerneken]

First, it's not hard to get, if you are (1) close to the target or (2) the NSA or (3) a criminal or (4) hang around some in one of the first three groups.

Second, if people and institutions are tending to rely on this information to make decisions about particular individuals, they are just wrong. They ought not to and if they do they should be incarcerated fined and sued for damages.

Granted all that data can model groups, or insurance companies and many other similar activities just would not work. Useless in dealing with people one at a time, whether on has friendly or hostile intent.

Finally, people evolved and until recently - no more than 12,000 years ago - invariably lived so that all knew everything about everyone they dealt with. That is the normal for homo sapiens. Privacy, anonymity and so on are artifacts of incompetent technology, and seem thought to be of value because commonly said incompetent technology has been unwisely if not maliciously used.

Gossip isn't intrinsically malicious - just an effective way of pressuring people to conform, and the least violent and intrusive such thing so far discovered.

Re:I used to work for one of the subsidiaries of B

What, you're not allowed to motorboat at work?