DHFS to end practice of using Social Security numbers for ID

Madison, Wis. - Kevin Hayden, secretary of the Wisconsin Department of Health and Family Services, has told a State Assembly committee that his department is working with Electronic Data Systems to change identification numbers to a unique 10 digit number that does not include the Social Security numbers of Wisconsin residents enrolled in state healthcare programs.

Hayden and Roger Ervin, secretary of the Department of Revenue, testified on recent security breaches Thursday before the Assembly Committee on Consumer Protection and Personal Privacy. They were on hand to explain what their respective departments are doing to prevent future release of Social Security numbers and other sensitive information.

Their testimony came after the Social Security numbers of hundreds of thousands of state residents were exposed in recent mailings. The breaches include the visible mailing of more than 260,000 Social Security numbers along with an informational booklet about Senior Care, and the mailing of as many as 5,000 new tax mailings from the DOR that went out with Social Security numbers in full view. It was the second data breach associated with DOR in the past 13 months; in late 2006, a DOR contractor took the blame for sending 171,000 tax booklets with the recipients' Social Security numbers on the cover.

Both secretaries described the steps that have been taken to prevent future mistakes. “We recognize the need for ongoing vigilance in this area,” Hayden said.

Hayden said the current 10-digit number system, which includes Social Security numbers, will be replaced with a "pseudo" identifying number that is not based on the Social Security numbers.

According to an incident report, Hayden said an EDS employee failed to follow privacy procedures as part of a mail merge. The employee, who has been fired, failed to review the contents of that file to ensure that sensitive information was not included in the mailing. Hayden said the error was detected before an additional 237,000 mailings were sent out.

After the emailing went out, DHFS directed EDS to put free credit monitoring in place to protect affected residents from identity theft, and the company has agreed to offer of free credit monitoring and cover all expenses associated with the error.

Hayden also has asked Wisconsin Attorney General J.B. Van Hollen to consider legal action against EDS.

“Confidential information should never have been printed,” Hayden said, “and this failure has exposed our [program] members to identity theft."

DOA/DOR

Michael Morgan, secretary of the Department of Administration, could not attend the hearing due to the death of his father in law. In his stead, Deputy Secretary Dan Schooff told the committee he is confident the department has systems in place to monitor security, including a scanning technology that does 8,000 scans an hour and is connected to law enforcement agencies.

Across state agencies, he said employees with access to confidential information are required to sign confidentiality agreements, “but clearly more has to be done.”

Schooff noted that Gov. Jim Doyle has asked Metavante, Inc., to review state security practices and procedures, and the company has agreed to do so free of charge by the first week of April and share what it learns with the committee.

Wisconsin is the only Midwestern state that still uses Social Security numbers as personal identifiers, a practice that many believe has outlived its usefulness - especially in the electronic age. Schooff said policy makers have used Social Security numbers because they were the unique identifier provided by the federal governmnt, which still uses them in some cases.

Ultimately, Ervin said the best way to ensure security is to disaggregate Social Security numbers across government and make them worthless in terms of market value. That entails a specific identifier for the Department of Revenue, an underlying password, and then linking these identifiers to individual Social Security numbers to create multiple layers of security.

Ervin said DOR looks forward to working with Metavante to assess its security weaknesses. He said the DOR has completed an audit of its entire security profile, and has already made changes and will make more in the future with respect to its practices, policies, and infrastructure improvement.

Prior to holidays, Ervin said the DOR began an assessment of its security plan. “We can never give up understanding where we can improve," he said. "We will focus on physical security, employee policies, education, and training. Each employee in DOR has to under go security training and sign confidentiality contracts.”

Related stories

• Department of Health and Family Services cancels technology-related Request for Proposal

• Extracting and redacting: Is solution to state's privacy fumbles right in its own back yard?

• Doyle asks Metavante to investigate state data breaches