avatar Christine Arevalo, VP Healthcare Fraud Solutions July 27, 2016 Cyber Security | Data Privacy | Identity Theft and Fraud Subscribe to the ID Experts Blog
Back to blog

Will Removing Social Security Numbers from Medicare Cards Make a Difference?

If you’re not yet old enough to qualify for Medicare coverage, you may not realize that Medicare cards are distinctly old-fashioned: They are simply laminated cards that openly display that most traditional (and vulnerable) of identifiers, the Social Security number (SSN).

The Medicare Common Access Card Act of 2015, or H.R. 3220, aims to finally update those cards, replacing them with machine-readable, fraud-resistant “chip and pin” cards that would not reveal any personally identifiable information.

The question we posed to two security experts is whether removing Social Security numbers from Medicare cards will make a noticeable difference in terms of reducing Medicare fraud and abuse. Or  will it be too little, too late?

Successful Data Breach Response: A Proven 12-Step Process

GAO Research Provides Perspective

According to the Government Accountability Office (GAO), about $60 billion of Medicare fraud and abuse takes place each year. Based on a review of 739 healthcare fraud cases that were resolved in 2010, the GAO estimates that fully implementing H.R. 3220 would curb 22 percent of that abuse, resulting in $13.2 billion in annual savings.

As we reported recently, the GAO’s research found that smart cards could help reduce six specific types of fraud:

  • Billing for services that were never actually provided
  • Misusing a provider's identification information to bill fraudulently
  • Misusing a beneficiary's identification information to bill fraudulently
  • Billing more than once for the same service by altering a small portion of the claim
  • Providing services to ineligible individuals
  • Falsifying a substantial part of the records to indicate the beneficiaries or providers were present at the point of care

However, in 78 percent of cases, “smart card use likely would not have affected the cases,” according to the GAO. In those cases, the beneficiaries or providers might be complicit in the abuse or not directly involved. For instance, smart cards would be unlikely to reduce fraudulent billing for unnecessary medical services or illegal marketing of prescription drugs.

Removing SSNs Is “Not a Silver Bullet”

Medical Identity Fraud Alliance (MIFA) members have jointly endorsed H.R. 3220, and Ann Patterson, MIFA senior vice president and program director, spoke in favor of the bill in March 2016 at a legislative briefing on Capitol Hill. She is strongly in favor of the bill’s passage but also describes it as “just one piece of the puzzle.”

“Social Security numbers are the gateway to all sorts of identity fraud, and we need to do a much better job of protecting those numbers,” she said. “At the same time, we need to recognize that removing the numbers is not a silver bullet that will immediately end all identity theft or all Medicare fraud and abuse.”

Removing SSNs from Medicare cards may help some beneficiaries protect their identities, but Jay Jacobs, the lead data scientist at Verizon, estimates that 60 percent to 80 percent of SSNs have already been stolen. With that in mind, Patterson said that if traditional Medicare cards are replaced, “We may not see the number of frauds reduced right away.”

However, Patterson added that there might be significant benefits to future Medicare beneficiaries. “Moving forward, as new populations enroll in Medicare, they’re going to be people who have not had their Social Security numbers exposed on their cards. The system will be more secure for them because we hope they will be using smart card technology from the start.”

Consumers Need to Move to the Driver’s Seat

The possible passage of H.R. 3220 is a “monumental move” by the U.S. government. It’s been said that it would be too expensive, but it’s inexcusable to leave our vulnerable elderly population exposed to fraud and abuse.

The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, found that 89 percent of healthcare organizations suffered a data breach in the past two years. That means that not only millions of SSNs but also consumers’ medical records, credit card information, and more have already been exposed, creating problems that extend well beyond the issue of removing SSNs from Medicare cards.

Those of us who work in the privacy and security space believe that removing Social Security numbers from Medicare cards is a long overdue move. We know that it will not eradicate identity theft or Medicare fraud—but it will at least be a step in the right direction.

Even if H.R. 3220 passes, consumers need to be more proactive in protecting their SSNs and other private information. Consumers should be in the driver’s seat. They have to play a central role in protecting their own data.

Where to Go from Here

H.R. 3220 has a chance at passage even during this contentious presidential election year. However, even if it does pass, it will be several years before the pilot programs are complete and the smart cards could be rolled out nationwide.

In the meantime, the Privacy Rights Clearinghouse, supported by AARP, recommends that current Medicare cardholders photocopy their card, cut out the last four digits of their Social Security number, and carry the photocopy instead of the original card.

All consumers need to go a step further and monitor their health records as closely as they do their bank statements. Instead of relying on belated protections like the replacement of today’s Medicare cards, be your own advocate. Speak up, monitor your data, and don’t give away your Social Security number or birth date or other data unless you have to.

Successful Data Breach Response: A Proven 12-Step Process

Back to blog