Federal Agencies Have “A Long Way to Go” to Limit the Use of Social Security Numbers and Adequately Protect Americans’ Identities

Government Accountability Office Provides Status Update 10 Years After OMB Required Federal Agencies to Reduce Unnecessary Use of SSNs
May 23, 2017 — Blog   

Today, the Ways and Means Social Security Subcommittee and the Oversight and Government Reform Information Technology Subcommittee held a joint hearing to examine how federal agencies are limiting the use of Social Security numbers (SSNs) to protect Americans’ identities.

As Rep. Tom Rice (R-SC), who chaired today’s hearing, said: 

“Our SSNs are connected to so many personal aspects of our lives—from our Social Security benefits and finances, to our medical histories and education. … This hearing is about making sure that SSNs are only used when necessary and that the federal government is doing what it can and what it should to make sure that when SSNs are used and collected, they are kept safe.” 

The Social Security Administration (SSA) created SSNs in 1936 to keep accurate earnings histories, but over the last 80 years, the federal government’s use of SSNs has expanded beyond one agency. As SSA’s Acting Deputy Commissioner for the Office of Retirement and Disability Policy, Mariana LaCanfora, explained:

“The universality and ready availability of the number made the SSN an incredibly convenient means of identifying people in other large systems of records.” 

Unfortunately, as the Government Accountability Office’s (GAO) Director of Information Security Issues, Gregory Wilshusen, pointed out the widely-used SSNs are now leaving millions of Americans vulnerable to identity theft and fraud. He said: 

“Thieves find SSNs valuable because they are the identifying link that can connect an individual’s information across many agencies, systems, and databases.”

That’s why, in 2007, the Office of Management and Budget (OMB) issued a memo requiring all federal departments and agencies to eliminate the unnecessary use of SSNs and to explore alternatives to the SSN as a personal identifier for employees and in federal programs. 

Karen Jackson, Deputy Chief Operating Officer for the Centers for Medicare and Medicaid Services (CMS), detailed several steps the agency is taking to protect Medicare beneficiaries. For example, Ms. Jackson discussed implementing the bipartisan Medicare and CHIP Reauthorization Act of 2015 (MACRA) and removing SSNs from Medicare cards—a priority championed by Social Security Subcommittee Chairman Sam Johnson (R-TX). She reassured Members: 

“As required by MACRA, by April 2019, CMS will eliminate the use of beneficiaries’ SSN as the source of the primary identifier on Medicare cards and replace it with a new, unique Medicare Beneficiary Identifier (MBI), or Medicare number.” 

Ms. Jackson added: 

“CMS has already removed SSNs from many types of communications, including Medicare Summary Notices mailed to beneficiaries on a quarterly basis. We have prohibited private Medicare health (Medicare Advantage) and Prescription Drug (Part D) plans from using SSNs on enrollees’ insurance cards (e.g., insurance cards for Medicare Advantage, cost contract, and Part D enrollees). CMS has also looked for ways to minimize the need for mailings including beneficiary personally identifiable information (PII).” 

The Department of Veterans Affairs is also taking steps to eliminate the use of SSNs, including creating an entirely new system unique to veterans and their families known as the “Master Veteran Index.” But it will be years before SSNs can be fully removed.  As John Oswalt, the Director for Privacy for the Department’s Office of Information Technology, said: 

“While additional work remains to fully extricate SSNs from Veterans’ records, including re-engineered business processes and legacy system upgrades, programs like the [Master Veterans Index] have made significant progress towards the goal of SSN reduction.” 

While federal agencies are making progress to meet the requirements OMB laid out in 2007, some agencies are still facing enormous challenges. For example, in 2015, identity thieves exploited a vulnerability in the IT systems of the Office of Personnel Management (OPM) to gain access to more than 22 million individuals’ personnel and background investigation records, which included SSNs and other personally identifiable information. As David DeVries, the Chief Information Officer for OPM, explained:

“It is difficult to completely eliminate the Federal use of SSNs without a government wide coordinated effort.”

Looking forward, Mr. Wilshusen of GAO warned: 

“Until OMB and agencies adopt better and more consistent practices for managing their SSN reduction processes, overall government wide reduction efforts will likely remain limited and difficult to measure; moreover, the risk of SSNs being exposed and used to commit identity theft will remain greater than it need be.” 

As Rep. Rice concluded: 

“The federal government needs to ensure it is doing all it can to protect Americans’ identities and that Social Security numbers are not being used unnecessarily. While progress has been made, based on what we’ve heard today, there’s still a long way to go.”

CLICK HERE to learn more about today’s hearing.

SUBCOMMITTEE: Social Security