Skip to content

HHS Inspector General Report Highlights Failure of CMS to Protect Medicare Beneficiaries from Identity Theft

October 22, 2012

Washington, DC – The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has released a new report detailing repeated occasions when the Centers for Medicare and Medicaid Services (CMS) failed to protect beneficiaries who had their Social Security Number (SSN) compromised.  The findings also indicate that CMS has not taken adequate steps to protect beneficiaries when an individual’s SSN-based Medicare identification number (known as the Health Insurance Claim Number (HICN)), has been compromised.

In reaction to the report, Social Security Subcommittee Chairman Sam Johnson (R-TX) said, “Protecting Social Security numbers has been a priority of the Ways and Means Committee that both sides of the aisle agree on.  Seniors are urged not to carry their Social Security card to protect their number, but at the same time they need to carry their Medicare card at all times to get health care.  This makes no sense.  This report is a wakeup call for CMS to heed the advice of its own Inspector General and take immediate action to develop a new system for protecting seniors from medical identity theft.”

Health Subcommittee Chairman Wally Herger (R-CA) concurred, “This report adds to the growing chorus of voices that have highlighted the need to protect beneficiary SSNs.  While CMS agreed with the OIG recommendation that it issue a new identification number when a beneficiary’s has been compromised, actions speak louder than words.  Though years of CMS indifference and delay make me skeptical, my hope is that this report finally persuades the agency to stop use of the SSN as the Medicare identification number.”

Key Findings:

  • The OIG evaluated cases of 13,775 beneficiaries who have had their personal information breached and an agency database of 284,000 beneficiary compromised HCINs.  These individuals have been involved in medical identity theft or are considered vulnerable to it.  The report states that CMS “offers few remedies” to these beneficiaries. 
  • In response to its findings the OIG made five recommendations, including:
    • CMS meet its legal breach notification requirements and improve the utility of its compromised HCIN database;
    • CMS issue a new Medicare identification number to identify theft victims, and;
    • Recognizing that using the SSN as the Medicare number complicates this task, the OIG urged the agency to develop alternatives that enable it to reissue Medicare numbers.   


In 2010, according to the U.S. Department of Justice, of the 8.6 million households who experienced identity theft, over 1 million were headed by seniors age 65 and older.  Critical to reducing that number is protecting the SSN.  Despite that the Government Accountability Office (GAO) called for removal of the SSN from government documents in 2002, after a decade of repeated findings that displaying SSNs on beneficiary Medicare cards unnecessarily places millions of Americans at risk, CMS still had not taken steps to remove the SSN from Medicare cards.

This Congress, Social Security Subcommittee Chairman Sam Johnson (R-TX) and Rep. Lloyd Doggett (D-TX), introduced the Medicare Identity Theft Prevention Act, which would remove the SSN from the Medicare card.  In August 2012, the Subcommittee on Health and Subcommittee on Social Security had a hearing addressing CMS’ failure to develop and execute a plan to remove the SSN from beneficiary Medicare cards.