Watchdogs in the House want to know if agencies are still excessively using Social Security numbers to identify federal employees or dole out government benefits, after a surge in SSN breaches has made ID theft a snap.
Agencies were supposed to stop defaulting to SSN identification starting nearly a decade ago.
A 2007 White House memo originally required agencies to stop overusing SSNs within 22 months. Flash forward to 2015: The federal government announces 21.5 million Social Security numbers were stolen by hackers after a breach of Office of Personnel Management background check records. ID thieves used 1.3 million stolen SSNs in 2014 and 2015 to attack an Internal Revenue Service system for tax fraud purposes.
"The potential for misuse of SSNs has raised questions about how the federal government, obtains, uses and protects SSNs it obtains," Oversight Committee Chairman Rep. Jason Chaffetz, R-Utah, said in a March 24 letter to federal auditors.
ID theft complaints were up 47 percent from 2014, following a spike in reports of tax ID theft, the Federal Trade Commission reported this month.
Given the White House in 2007 instructed agencies to cease the "unnecessary collection" of SSNs and explore alternatives to Social Security numbers for identification, Chaffetz said he's curious about their follow-through on "this clear direction."
The House committee has asked the Government Accountability Office to conduct a review of agencies’ headway in eliminating the use and display of Social Security numbers. The lawmakers also want to assess what actions the White House has taken to ensure agencies have quit overusing SSNs, according to the letter.
The October 2015 "Cybersecurity Implementation and Strategy Plan" mandates the White House update that 2007 privacy memo by this Thursday. Nextgov has asked the White House for comment on the status of the reboot.
On Monday, GAO spokesman Chuck Young told Nextgov the committee’s inquiry is undergoing a typical two-week review process.
Replacing SSNs with other ID codes has not been a walk in the park for one of the largest users of the numbers.
It will take years to adjust and test Centers for Medicare and Medicaid Services computer programs to ensure they are compatible with systems at insurers, doctors, states and every other entity that bills Medicare, according to the agency.
Last April, Congress passed a law forcing the agency to remove Social Security numbers from Medicare cards.
After tweaking or building new programs, the agency must inform about 60 million Medicare beneficiaries and all other participating organizations about the changes, Sean Cavanaugh, CMS deputy administrator and director, told the Senate Special Committee on Aging last fall.
This requires informing senior citizens how to dispose of their old cards in a secure manner and preventing scammers from misinforming them about the new ID procedures. The agency expects outreach will start in January 2018 and continue through April 2019, Cavanaugh said.
At the same hearing on senior citizen ID theft, privacy expert Marc Rotenberg testified there is "no other form of personal identification that poses a greater risk to personal privacy."
"Given the rising frequency of health care data breaches, the use of SSNs on Medicare cards places an already vulnerable population at even greater risk for identity theft," added Rotenberg, president of the Electronic Privacy Information Center.
In 2015, there were 253 health care organization breaches that compromised more than 112 million records in total, according to a Forbes analysis of Health and Human Services Department statistics.
ID theft victims lost a collective $15.4 billion in 2014, according to the most current Bureau of Justice and Statistics cost estimate.
That’s not to say doing away with SSNs is a doomed-to-fail proposition for the federal bureaucracy.
The Pentagon stopped printing Social Security numbers on all Defense Department ID cards by June 2011 and will substitute new identifiers. The Veterans Affairs Department rolled out new VA health ID cards in 2014 that do not store SSNs in card magnetic strips or barcodes.