Senate Proposal Calls for VA to Drop Use of SSNsBill Aims to Help Reduce Identity Theft, Fraud Affecting Veterans
A bipartisan Senate bill proposes removing Social Security numbers of U.S. veterans from all Department of Veterans Affairs' information systems within the next five years in an effort to reduce identity theft and fraud.
See Also: Ransomware: The Look at Future Trends
The Veterans' Identity Theft Protection Act was introduced on June 16 by Sen. Tammy Baldwin, D-Wis., and is co-sponsored by Sen. Jerry Moran, R-Kansas.
"Our veterans should never be put at risk of identity theft with information that they have entrusted to the VA," Baldwin said in a statement. "That is why I am bringing this bipartisan solution forward to make certain that the VA stops using Social Security numbers to identify our veterans."
The bill would require the VA, the nation's largest healthcare provider, to discontinue the use of Social Security numbers with new claims for benefits within two years, and for all other veterans whose data is already in VA systems within five years. The VA, however, would still be permitted to use Social Security numbers if it needs to exchange information with another system outside of the agency that requires the use of those identifiers.
The proposed bill isn't the first call for Social Security numbers to be eliminated as identifiers in various federal programs in an effort to reduce identity theft and fraud. But other proposals primarily have focused on dropping Social Security numbers from government-issued ID cards.
For instance, the Government Accountability Office had repeatedly over several years recommended that Social Security numbers be eliminated from Medicare beneficiary ID cards before President Obama signed a bill in 2015 that provides $320 million in funding to remove those numbers from the IDs within four years (see SSNs to Disappear from Medicare Cards).
The VA is in the process of removing Social Security numbers from veterans' healthcare ID cards. Instead, new cards display an Electronic Data Interchange Personnel Identifier as their member ID on the front of the card. That Department of Defense internal identification number for veterans is also embedded in the card's magnetic stripe and barcode (see VA Issuing New ID Cards to Fight Fraud).
Also, in June 2011, the DoD completed efforts to replace almost 10 million military identification cards that had Social Security numbers printed on them with cards that stored the numbers in bar codes. DoD is also working to remove the numbers from the barcodes and magnetic stripes on the cards.
The VA on its website says it has "significantly reduced the unnecessary collection and use of SSNs as the department's primary identifier." Social Security numbers were either removed completely or truncated to the last four digits on most VA correspondence, and the identifier no longer appear on any VA prescription labels, bottles, or mailing labels, the agency says.
Those efforts by the VA, however, don't necessarily address the kinds of problems that prompted Baldwin to craft the proposed legislation. In her statement, Baldwin says the bill aims to prevent the type of mishap that occurred in early 2015 when Social Security numbers of hundreds of Wisconsin veterans were accidentally emailed by a VA employee to an unauthorized person. "This unintended disclosure of personal information put veterans and their families at risk for fraud and identity theft," she said.
The VA did not immediately respond to an Information Security Media Group's request for comment.
Good Idea, But is it Doable?
Mac McMillan, a former information security leader at the DoD who is currently CEO of security consultancy CynergisTek, says phasing out all use of Social Security numbers at the VA "eliminates at least one avenue where it can be compromised. But we need to understand that the SSN is still used for many, many different purposes."
Nevertheless, the legislation could prove troublesome to implement, McMillan says.
"If they come up with the replacement process for identification, it will be relatively easy for new veterans, but I think purging the system of all references to SSN for us older veterans may not be so simple," he says. "I would imagine it will be fairly costly endeavor. It's not going to be as simple as search and replace I'm sure."
A spokesperson for Baldwin tells ISMG: "We don't have an estimate of the cost because the VA refused to provide feedback; we've been asking since March."
In potentially replacing Social Security numbers for identifying veterans in VA IT systems, McMillan says, "any unique identifier will do, but I'd like to see one tied to other information about the veteran for authentication purposes and ... at least one additional factor used to access it."
The consultant also says it will prove challenging for the VA to carry out the bill's provision permitting it to use Social Security numbers if it needs to exchange information with another system outside of the VA that requires the use of those identifiers.
"If those other systems rely on the SSN ... for their identification purposes, removing it from one could break processes in the other," he says. "This is not a trivial matter and one of the big reasons I think this will not be easily or cheaply done."
The Baldwin spokesperson says the bill has been referred to the Senate Veterans Affairs Committee.