07 September 2012

Why it's hard to protect your Social Security number

I should think the most significant risk of insecure medical records is not that your colon polyps will be publicized, but that most medical records would include a Social Security number (and a current name and address).  That's why reports like this are so disconcerting:
Over the past three years, about 21 million patients have had their medical records exposed in data security breaches that were big enough to require they be reported to the federal government... Six health care organizations listed on The Wall of Shame reported security breaches that involved one million or more records...

Theft made up 54% of the breaches, while hacking made up only 6% of the compromised data. Theft was followed by unauthorized access or disclosure for 20%, lost records and devices for 11%, improper disposal of records made up 5% and other/unknown categories made up 4%.

"By far ... theft is the number one type of breach we're seeing," Seeger said. "We've really seen this as a commentary on crime in America where the thieves are not after the information in the laptop, but they're after the laptop."

"Most of the portable devices are being stolen out of cars or otherwise being lost. Many of these laptops are lost by an employee while in transit on public transportation," Seeger added.
The names of some of the breached companies are listed in the Computerworld article.


9 comments:

  1. I truly don't understand why this sort of bulk sensitive data is *ever* stored on an easily-stolen laptop. That should be a firing offense.

    ReplyDelete
    Replies
    1. And I wonder how often the employee is complicit in the "theft." I suspect some lucrative bribes have been offered.

      Delete
  2. I have been fighting to keep my SSN off my medical records for decades, and have always been met with full court press resistance. Only because I know it is not legally required by anyone other than the IRS and my employer gives me a slight edge in the argument. But when I told one ex-employer to not divulge my SSN to Blue Cross, I was looked at as if hiring me was suddenly questionable. (Until it becomes commonplace for people to tightly control access to and use of their own SSN, everyone who sticks up for themselves like this will be so regarded. Most people cannot stand the idea of being seen as less than 110% cooperative at their new job, so they'll practically throw themselves at the employer's feet in abject obedience. And the employer knows it.)

    Frighteningly, I was told it was too late, they did it already, and they simply thought I was being silly, or worse, to object. As a brand new employee, I was not at liberty to vent my spleen. A person can, after the fact, demand the insurance company issue you a unique ID number and remove your SSN from their records, but it is not for the easily discouraged. Do it in writing, sometimes repeatedly. Then, test them later to see if your SSN is, after all, "oops", *still* on your records. Been there, done that, prevailed in disgust. Repeat with all medical providers.

    And as you likely already know, similar to your credit report, there is a medical report that is kept on you--tracked by your SSN. Insurance companies don't want that to be common knowledge because it is how they can quietly deny coverage and claims, without telling you why. Because if you did know why, you'd demand laws to stop the discrimination. God help you if you have ever had certain medical conditions treated in the past, and you are self-employed.

    The appropriation of the use of our SSNs, despite assurances by Congress at the time that it would "never" be used as a general use ID merely for the asking, proliferated purely because it was convenient. Businesses assured themselves you were who you said you were, though they never had any intention, or power, to ask SSA to verify it outside of employment.

    Too many people simply hand over that key to their own financial kingdom, without a second thought, and because they don't assert their right to not to. And Bidniss likes us compliant and ignorant. I learned the hard way that my name, address, DOB and SSN are extremely valuable pieces of information that legitimate and illegitimate enterprises alike hunger for endlessly. I didn't think that much of if because *I* wasn't in the business of actually exploiting and monetizing them.

    Now, I know better. But, daaaaaang. One last thing learned the hard way: leave blank any line on a form that simply requests "Social Security #" unless it is your *employer*, your bank or the IRS. Period, full stop. If a new doctor or dentist insists, and you don't want the fuss, then transpose some of the digits. They will never know. Never.

    TL;dr, I know. Sorry. Carry on. --A.

    ReplyDelete
    Replies
    1. No "sorry" necessary. That's an excellent rant/discussion/explanation.

      Delete
    2. Excellent information, Anon! I shall do as you advise...!
      Also, the government isn't going to do that anymore, see here :
      http://en.wikipedia.org/wiki/Social_Security_number
      going in for randomization
      also, see SIN, from the game Shadowrun: http://en.wikipedia.org/wiki/Shadowrun
      Now THAT is used for everything... can't buy anything without it, not even a toothbrush-- in normal society.

      Delete
  3. Gracias. I hope it will help spark more convo at large and perhaps spare at least one other person from the travails I endured/endure. I visit pretty much every day and always feel smarter by the time I leave. (Whether or not I act smarter is another fettle of kitsch. I. Mold.) --A.

    ReplyDelete
  4. *Gracias and thanks for the post. *sigh* --A.

    ReplyDelete
  5. The best part is that your SSN is not a random number. Using fairly simple algorithms and public information, folks were guessing the numbers of SSNs back in 2008/2009. After all, the numbers represent your birth year, the state you were born in, etc. They concluded, "If one can successfully identify all nine digits of a SSN in fewer than 10, 100 or even 1,000 attempts, that Social Security number is no more secure than a three-digit PIN." In fact, your high-school locker was probably more secure than your Social Security number. - and that news, like most things, passed by unnoticed like the 'observe warning signs' road signs some idiot spent my tax money on.
    http://news.sciencemag.org/sciencenow/2009/07/06-01.html (not the best article but it has a time stamp on it)

    Having worked in IT, we've had executive bozos ~ the ones who can bend the rules and get away with it ~ have passwords like 'leader', insist they need the entire company SharePoint site and SalesForce databases running local on their laptops, let their children(even teenagers) use their laptops ~ and you would be amazed at the correlation between devices getting stolen or dropped after another exec receives a 'superior' smartphone or laptop - usually because the previous model was discontinued and invariably the newer model offers faster wifi, more RAM, better SSDs, etc.

    My final concern here is that outsourcing has this data being exposed to the lowest bidding companies at all corners of the globe far out of reach of our control - how secure are their resources, who checks the security of their data centers, employees, etc? (nobody)
    In sum, security is just another faith / an illusion.

    ReplyDelete
    Replies
    1. Reply to Anonymous September 8, 2012 9:40 AM:

      Additional great points. I have some Help Desk experience, so when I read your comment, I was nodding in knowing agreement. It's ridiculous how cavalier everyone is with the most important number of your life--including the number holder. I think we should all be issued a new number, fully divorced from the old one, and we just start all over. I remember some Google bigwig suggesting we should all just change our names rather than try to re-establish privacy rights with our given names especially on the interwebs.

      I thought he was crazy at the time, but now, I think he's on to something. --A.

      Delete

Related Posts Plugin for WordPress, Blogger...