While no cybercriminal worth his salt would turn down a chance to get his hands on your credit card information, there’s an even bigger prize: your Social Security number, which cybersecurity experts say is now the single most valuable piece of information in terms of being able to steal your identity.
So if our Social Security numbers are such hot property, why do doctors routinely ask for them? The answer isn’t particularly endearing: Your doctor’s office wants your Social Security number so it can better track you down if you don’t pay your bill.
But no, you don’t legally have to provide it unless you are a Medicare or Medicaid recipient. Nor should you, experts say. In fact, not even the American Medical Association wants you to.
“Healthcare providers and others ask for your SSN because it’s easier for them to track unique individuals that way,” said Mark Nunnikhoven, vice president of cloud research for TrendMicro, an information security company.
Given that Medicare/Medicaid covers roughly 35 percent of Americans, it may be that requesting the Social Security number from all patients is just more expedient for the doctor or hospital. But it’s certainly not best for patients, who may be exposing themselves to identity theft.
“When asked for your SSN outside of legally required uses, push back.”
- Mark Nunnikhoven of TrendMicro
In 2017, there were 830 data breaches involving Social Security numbers, representing more than half of the total reported number of breaches. A whopping 158 million numbers were exposed, according to the Identity Theft Resource Center ― more than eight times the number exposed in 2016.
Many of these breaches occurred in the health care industry, where medical records enjoy a long shelf life. The industry has a reputation for being something of a leaky sieve for information that should be kept confidential, according to TrendMicro, which calls the health care sector a “preferred target” for cybercriminals. The health care industry, with hospitals leading the way, reported that 113.2 million health care-related records were stolen in 2015 ― the most ever, according to the Department of Health and Human Services.
Alarmingly, about half of all health care organizations had little or no confidence that they could detect the loss or theft of patient data, and the majority lack the budget to secure their data, according to a 2016 annual study on health care data privacy and security by the Ponemon Institute, a security research and consulting organization.
Only a few organizations actually have a legal right to your SSN, including your employer, banks and lenders, investment funds, the IRS and government-funded programs such as workers’ compensation.
The more your number is out there, the greater the risk of identity theft. Armed with your Social Security number, someone can file fraudulent tax returns in your name, open credit cards, or get official documents like a passport or driver’s license. And it’s a nightmarish bit of data to have stolen. If a thief steals your credit card or bank account number, for example, it’s useful only until the credit limit is reached or you catch on to the hack and close the account. But you can’t close your Social Security number.
And it gets worse: It’s an open secret that a person’s Medicare number includes their Social Security number. It’s printed right out on the front of every Medicare card for the world to see. That is being corrected, however: New cards with randomly assigned Medicare numbers are in the process of being issued to replace the ones that bear Social Security numbers.
Part of the overall problem is that Social Security numbers were never designed to be used as identity authenticators. Decades ago, they began being issued as a way of recording your earnings to determine the amount of benefits you would be paid at retirement or if you claimed a disability. Through the years, they morphed into a popular form of identification ― and, most recently, became coveted by cyber-thieves.
Nunnikhoven said that the issue of our Social Security numbers being used as identifiers ― despite explicit warnings against doing so ― is made more complicated because of decades of supplying it to anyone who asks.
“Most Americans are so comfortable using their SSN that they have the number memorized,” Nunnikhoven said. “Given that it is only supposed to be used for Social Security and other federal government programs, that’s an indicator of a serious issue.”
Still, most health care providers request your SSN for transactions. Nunnikhoven suggests asking what other form of identification the doctor’s office would accept ― say, a driver’s license or a photo ID.
“When asked for your SSN outside of legally required uses, push back,” he said. “Awareness is key to making this shift away from SSN usage happen in a reasonable time frame.”
And, as for those places that just ask for the last four digits? They aren’t doing you any favors either. The first five digits of a person’s number are easy to figure out using publicly available information, according to a 2009 study at Carnegie Mellon University. Those numbers represent where the card was issued and when, so if someone knows where and when you were born, they’re a piece of cake to decode. If a savvy fraudster can get you to tell him the last four of your Social Security number, he’s in business.
Let your doctor know his own advocacy group discourages the practice.
“Our AMA policy is to discourage the use of Social Security numbers to identify insureds, patients, and physicians, except in those situations where the use of these numbers is required by law and/or regulation,” the American Medical Association states on its website.