Forgot your password?
typodupeerror
Privacy Medicine

Blue Shield Leaks 18,000 Doctors' Social Security Numbers 74

Posted by Unknown Lamer
from the measure-twice dept.
itwbennett (1594911) writes "The Social Security numbers of roughly 18,000 California physicians and health-care providers were inadvertently made public after a slip-up at health insurance provider Blue Shield of California, the organization said Monday. The numbers were included in monthly filings on medical providers that Blue Shield is required to make to the state's Department of Managed Health Care (DMHC). The provider rosters for February, March and April 2013 included the SSNs and other sensitive information and were available under the state's public records law." Ten copies were requested under the public records law.
This discussion has been archived. No new comments can be posted.

Blue Shield Leaks 18,000 Doctors' Social Security Numbers

Comments Filter:
  • by Anonymous Coward on Tuesday July 08, 2014 @07:11AM (#47406283)

    With so many SSNs leaked, the odds of a criminal picking yours are getting worse all the time!

    • Indeed. Perhaps picking up a couple of spares is the only sane defense now.
    • by NotDrWho (3543773) on Tuesday July 08, 2014 @07:40AM (#47406395)

      Maybe at some point after they're all finally out companies, agencies, colleges, etc. will finally realize that using SSN's as their unique identifiers of choice is dangerous.

      • by Anonymous Coward on Tuesday July 08, 2014 @07:58AM (#47406465)

        Using SSN as an identifier isn't really the problem.

        It's that they want it to be BOTH the public identifier AND the private password.

        If it is just an identifier, you should be able to use it publicly - but the whole idea is that you need to guard it and keep it secret because they are treating your knowledge of it as proof that you actually belong to the account is where the problem arises. Either it is just a record number, in which case it shouldn't be a secret - or it is your password, in which case you should have a public record number that isn't secret.

      • by leonardluen (211265) on Tuesday July 08, 2014 @08:19AM (#47406555)

        it wouldn't be an issue if the SSN didn't have to be kept secret. there should be an easily changeable pin that goes with the SSN that you use when you need to apply for a loan or something.

        or treat it more like credit card numbers and make it easier to get a new one if it becomes public.

        another option issue one time use numbers like some credit card companies do.

        there isn't necessarily anything wrong with having a unique identifier for people. the current implementation however is the problem.

      • Re:Good news though (Score:5, Informative)

        by cayenne8 (626475) on Tuesday July 08, 2014 @08:25AM (#47406577) Homepage Journal
        This was my first thought, WTF are they using SS on this type of report at all?!!?

        I mean, if they need a record of the physician's business, why not use the Federal Tax ID? Why in the world would anyone give out a SS number in this day in age for anything besides something that is directly related to SS transactions (taxes, payments, etc)?

        I don't give my SS to anyone except the bank and for SS tax purposes. My last power company tried to insist I give it to them, when I asked WTF they needed this for simply connecting power they said for a 'credit check'. I talked further and found out they'd take a deposit in lieu of this and that's the road I took. I got the deposit refunded about 6mos later I think.

        But seriously, there not a THING these days that should or does require a SS# to be given. However, sometimes, sadly, you DO need to be persistent in your insistence that they don't need it. Speak to a mgr or two if need be, but don't' give it out.

        • That is how the SSN was originally meant to be used. But then along came a need for a global UID for people and whoosh all the promises went out the window. I will try the deposit route though next time I encounter that situation.
        • if they need a record of the physician's business, why not use the Federal Tax ID?

          Unless the doctor is incorporated, the SSN is the tax id.

          Why in the world would anyone give out a SS number in this day in age for anything besides something that is directly related to SS transactions (taxes, payments, etc)?

          They didn't. The gave out their SSN because this is directly related to SS transactions. The doctors receive payments from the insurance company, and those payments must be reported to the IRS on a 1099 form, and that must include the tax id, which is the SSN.

          Anyway, I see leaks like this as a good thing. The sooner everyone's SSN is public, the sooner we move away from the idiotic notion that the same number should be used for both identificat

          • by cayenne8 (626475)

            Unless the doctor is incorporated, the SSN is the tax id.

            Err, if the said Dr. is in business and is not incorporated, he's quite a fool.

            They didn't. The gave out their SSN because this is directly related to SS transactions. The doctors receive payments from the insurance company, and those payments must be reported to the IRS on a 1099 form, and that must include the tax id, which is the SSN.

            Err, no. there is NO place to fill out SS on a 1099 payment. That is precisely where you have and use your TIN (

            • by dlt074 (548126)

              Err, no. there is NO place to fill out SS on a 1099 ayment. That is precisely where you have and use your TIN (Tax Identification Number), You only give your SS on your Personal tax forms at EOY in that situation. No, there is no valid reason a Physician should be giving out his personal SS for a business transaction, especially if it is a 1099 and NOT a W2 type form. Taxes are NOT taken out of 1099æ.you are responsible for that on your own at EOY.

              when receiving 1099 income, the issuer o

              • by kwbauer (1677400)

                Yup, win a prize worth more than $600 from the radio and such and you won't receive it until you've filled out the 1099 related paperwork that requires you to give yuour SSN. Win more than $600 at the casino or in something like a dart tournament and the same thing happens?

                Oh, and as far as end-of-year payments... Coming up quite short on all that excess income will result in some penalties, the least of which is requiring you to file quarterly estimated payments. In other words, if you have a lot of taxabl

              • by cayenne8 (626475)
                I think you missed the part where I mentioned the TIN.

                Any smart Dr will be incorporated and use a TIN for tax purposes, not a SSN.

            • Err, no. there is NO place to fill out SS on a 1099 payment.

              This is just flat out wrong. Have you ever actually seen a 1099? If you are paying an individual, the SSN is the tax id, and must be listed on the form. If you are paying a corporation, then you don't use a 1099.

              • by cayenne8 (626475)

                This is just flat out wrong. Have you ever actually seen a 1099? If you are paying an individual, the SSN is the tax id, and must be listed on the form. If you are paying a corporation, then you don't use a 1099.

                Not so, I contract, I am an individual working for my own S-corp.

                I have never given out my SSN when being paid 1099 through my company.

                I give out only my TIN, they pay me with checks, and at EOY I get a 1099 from them for my tax purposes.

        • I don't give my SS to anyone except the bank and for SS tax purposes. My last power company tried to insist I give it to them, when I asked WTF they needed this for simply connecting power they said for a 'credit check'. I talked further and found out they'd take a deposit in lieu of this and that's the road I took. I got the deposit refunded about 6mos later I think.

          These companies really don't need it. When I setup my cable, electric etc. I didn't have an SSN, it takes time to get one when you are an immigrant. As soon as they learned I just didn't have one then they went down an alternate procedure. I think in the end I only had to leave a deposit with the cell phone company, everyone else just connected me.

          This can be a pain down the line when trying to deal with these companies over the phone though as everyone wants the last 4 digits of your social as part of th

      • by mpe (36238)
        Maybe at some point after they're all finally out companies, agencies, colleges, etc. will finally realize that using SSN's as their unique identifiers of choice is dangerous.

        Using them as identifiers isn't actually that bad. Though it's a bit daft not to be able to come up with employee/student/etc numbers.
        The problems come trying to use them as AUTHENTICATORS. As well as the daft idea that only you know your own "name"...
  • How could a criminal use SSNs anyway?
    What types of scam/hack/crime would be possible?

    • by f00zy (783212)
      SSNs, like passwords, need to die. They are a relic that doesn't work anymore.
    • Re:Using SSN? (Score:4, Informative)

      by Joe Gillian (3683399) on Tuesday July 08, 2014 @07:36AM (#47406373)

      They can use SSNs for ANYTHING, which is what's so scary about having yours stolen. They can open credit cards, take out insurance policies, even look for jobs in your name. Essentially, an SSN is a person's identity.

      • They can use SSNs for ANYTHING, which is what's so scary about having yours stolen. They can open credit cards, take out insurance policies, even look for jobs in your name. Essentially, an SSN is a person's identity.

        Right... the problem isn't SSNs, or even the security of them... it's the fact that creditors will ruin your credit over the internet with nothing more than a 9 digit number and having never met you in person or even mailing you a letter. The majority of SSN fraud is done on the SSN of people who are dead. And not like "died last month" as in, dead for decades or even longer. The creditors don't even check to see if you're still alive before issuing a loan. There are more rigorous checks on your identity wh

      • by Bobberly (1677220)
        One would think that the fix would be for SSNs not to be the sole source for opening new accounts and such. Kinda ironic that the the credit card companies are the ones causing this problem by not requiring better proof of identity. Then again the State of Florida does the same thing. They ask for SSN when filing for property tax exemption for no other purpose than to make sure you didn't file somewhere else as well. Really it just makes for an easy SELECT SSN GROUP BY SSN HAVING COUNT(*) > 1 query t
    • by plover (150551)

      While I don't want to provide a detailed how-to, it goes something like this:

      1. Go to store.
      2. Fill cart with TVs and other expensive goods.
      3. Wait for cashier to ask "would you like to save money by opening a credit card?"
      4. ???
      5. Profit.

    • by drinkypoo (153816)

      Someone got a car under my SSN using a check cashing card as proof of identity. They didn't even have any documents with the SSN on them, except a check cashing card.

      • I don't see this as a SSN problem; it's more a greed problem on the part of the seller, who failed to enforce due diligence.

        • by drinkypoo (153816)

          I don't see this as a SSN problem; it's more a greed problem on the part of the seller, who failed to enforce due diligence.

          He didn't just fail to enforce due diligence, his intent was to sell the car to someone not entitled to buy it, so that he could get a judgement. You can borrow against owed debt. It's all a very well-known scam.

    • With a person's name, SSN, and date of birth (somewhat easy to obtain), you can steal that person's identity and open lines of credit in their name. Add in address (pretty easily obtained) and you can do a lot of damage to their credit - while racking up thousands in purchases to enjoy. I wish I could add the caveat that you'd only enjoy this stuff until the police arrested you but many identity theft cases don't result in arrest because 1) the local police are unprepared to investigate online crimes that

      • by kwbauer (1677400)

        Exactly how can you steal someone's identity? Aren't they still there? Don't their friends still know them? This just makes no sense.

        • The person took my personal information (from where I'll never know) and opened a credit card in my name - in other words, using my identity. This damaged my credit rating. Granted, it wasn't damaged as bad as it could have been, but that's like saying someone took my car for a joyride one night and brought it back with just a dented fender.

          Other people who have had their identity stolen haven't been as lucky as I was. The thieves can make off with thousands of dollars worth of merchandise in a couple of

          • by kwbauer (1677400)

            Yes, I get it that and kind of now regret my smart-ass comment. It was kind of trollish. I wanted to see how others might compare identity theft to IP theft. To me, they are very similar.

  • Identity Theft (Score:5, Informative)

    by Jason Levine (196982) on Tuesday July 08, 2014 @07:38AM (#47406385)

    I've been through identity theft. It's not fun. And I was lucky enough to catch it quick enough that little damage was done. Capital One approved a card for "me" based on an online form where the thieves had my name, address, DOB, and SSN. Mother's maiden name was wrong, but that didn't stop the approval process. The thieves paid for rush delivery of the card and then changed the address on it. This meant that the card was sent to me BEFORE the address change went through. If this hadn't happened, I would have only known about it once the bill collectors came barging down my door.

    On a side note: Capital One was not helpful at all. They stonewalled both me ("If we tell you the address on the card and you go and kill the person, we're liable" = what they actually told me) and the police (gave them a phone number linked to an answering machine and never called back). The combination of their approval of the card, missing all of the red flags along the way, and refusing to help beyond canceling the card means Capital One will NEVER be "what's in my wallet."

    For those who think they have bad credit and thus wouldn't be victims, it doesn't take much. Remember, the thieves don't care about whether you can pay back the bills they are generating. All it takes is one credit card company to approve a card and they'll tear through the balance leaving you with thousands in debt that you'll need to prove wasn't your doing. In addition, there's another form of identity theft where a criminal is arrested and gives your name/SSN/DOB instead of their own. Then your name goes into the police databases and you'll be harassed as an assumed criminal. Removal of your name can take years during which time you'll flunk any background checks.

    There's no protection that I know of from the latter form of identity theft, but you can freeze your credit to protect against the former. This means that nobody - not even you - can open new lines of credit unless you first thaw the credit files. The downside is that you need to pay to freeze and for each thaw. The upside is that you have a handy retort for all of those "You can save $5 if you open up a credit account with us" offers at the cash register. "No, thanks. My credit file is frozen." I've found these people stop their sales push the minute they hear you were a victim of identity theft. (I don't think that's in the script they are supposed to read to customers. ;-) )

    • by Anonymous Coward

      In Sweden we use our SSN (equiv) for almost everything. We do not expect it to be secret. Also all mail from creditors are always sent to our registered adress. So while we still have identity theft it's much harder for the thieves to actually rerout packages containing credit cards. Rather they often need to steal the package from the mailbox (which can be hard in condos/appartments). I don't really see how the companies considering the SSN to be secret will help anyone. If just everyone assumes that all S

    • So, pretty clearly, there is a huge problem with SSNs being used in the USA as both identifier and authenticator. And this has been know for years, and many people have suffered as a result of this really really stupid system, whose flaws are obvious to everyone using the system.

      So how long will it take to get something changed?

      • Sadly, I don't think this will be changed anytime soon. Identity theft doesn't really hurt credit card companies or credit agencies. The credit card companies just close the card and write off the fraudulent purchases. At best. At worst, they'll send collection agencies after you for years until you prove that "you" wasn't really you. (The credit card company in my case had various "suggestions" as to what happened including that my wife opened the account with my information without my knowledge. Fin

  • to screw up is human, to really screw up requires a computer.

  • Another example of why stupid people shouldn't be left in charge. These folks are responsible for managing billions of dollars in health care premiums and payments and a failure in data management policies has lead to a breach. I'm sure they'll just offer the poor doctors "Lifelock" for a year. No wonder our healthcare system is so fucked up.

  • I'm going to guess that these filings are done electronically. And that the information provided must fit some sort of pre-arranged schema. Back in the old paper days, a form with labeled fields to be filled out. So if some moron ran a SELECT * to populate the report, the state should have rejected it as not being filled out properly.

    Or is this one of these reports that the state requires but never uses? Something that has been done by tradition but everyone has forgotten about the reasoning behind it. So

Per buck you get more computing action with the small computer. -- R.W. Hamming

Working...