I had just been transferred to radiology when I found myself in front of yet another receptionist with a computer. She cheerfully entered most of my information and then asked for my Social Security number. I had left it blank on my medical paperwork for the second time that day.
“Do I have to give it to you?” I asked politely.
She blinked. Twice.
“No,” she said slowly.
I chose my words very carefully, not wanting to be difficult but genuinely interested, “Just out of curiosity, since you already have my insurance card and my I.D., why do you ask for a Social?”
She looked at me and smiled before saying, “I don’t know. We just always do.”
Chances are, you drop your Social Security number at your doctor’s office on a regular basis. And your dentist. And your kid’s school. You do it even when there’s no balance due, even when you have insurance and even if you’ve already provided it to the office before. And you do it – as with your kid’s school – even when there’s no clear reason for it. We’re just trained that way.
What you may not know is that you’re putting your identity at risk every time you do it.
Social Security numbers have become synonymous with our personal identification number. It is how we are identified at the doctor, at school, at banks and even sometimes, at work. But the reality is that Social Security number wasn’t intended to be anything other than what it says on the tin: a way of identifying workers and other qualifying individuals for purposes of Social Security benefits. The Social Security Administration (SSA) was created in 1935 and on December 2, 1936, SSN 055-09-0001, belonging to John D. Sweeney, Jr. of New Rochelle, New York became the first Social Security record established in the country (interestingly, Sweeney never received any Social Security benefits).
Since that time, more than 450 million Social Security numbers have been issued. And we use them for a wide range of purposes – including for the purposes of filing and paying our taxes – even though there are only about 40 uses approved by Congress. However, one of those uses is pretty broad: the Social Security Act allows states and local governments to require a Social Security number for a variety of tax and other reasons.
Beyond that, however, your Social Security number isn’t really an identification number. You may be asked for it all of the time – but that doesn’t mean you have to provide it every time. In fact, the SSA encourages you to protect your Social Security number, advising (brochure downloads as a pdf):
You should be careful about sharing your number, even when you are asked for it. You should ask why your number is needed, how it will be used and what will happen if you refuse. The answers to these questions can help you decide if you want to give out your Social Security number.
If you want. You don’t have to give it out. Not always.
I know what you’re thinking: why not? It’s the doctor. Or the school. Or some other trusted entity. What’s the worst that could happen? Try losing your identity. All of those things you can do with your Social Security number? The bad guys can, too. In spades. Armed with your Social Security number and a few other bits of data, criminals can clean out your bank accounts, run up credit card bills using accounts you never opened, create phony bank accounts, take your refund and file taxes under your number using bogus information. It can happen more than once. And it can happen in more than one place.
How does it happen? It’s simpler than you think. Here’s how you could lose your identity in five easy steps:
- Go to the doctor. Or the dentist. Or school. And hand over your Social Security number. Your work here is done (er, sort of, see #5 below).
- With a few clicks of a mouse, your number is stolen. And it happens right inside of the doctor’s office. Increasingly, identity theft isn’t happening as the result of a careless error on your part – or as an isolated incident. It’s practically an industry. Your Social Security number is a valuable commodity that can be bought and sold – and medical institutions like doctor’s offices, are easy pickings. It’s no surprise that the massive tax fraud takedown in Florida yielded personally identifying information (PII) gleaned from schools and health care providers. According to Michael DePalma, Special Agent in Charge for the Miami Field Office of Internal Revenue Service – Criminal Investigations (IRS-CI) and former National Identity Theft Coordinator for IRS-CI, criminals target institutions which store personally identifying information on a regular basis, noting, “any entity that houses data is vulnerable.” James Robnett, Special Agent in Charge for the Tampa Field Office of IRS-CI, confirmed that identifying information gleaned from sources like medical offices has increased, estimating that in his experience, it’s on par with the level of data stolen from the internet through sources like the Master Death Index.
- Thieves determine your value. Personally identifying information is stored in institutions in bulk, making it easy from the inside to assemble information about you and package for sale – just like any other commodity. And like any commodity, the value of that data can vary. Information could be limited to your name and Social Security number but is clearly more valuable if it comes with other goodies, like your address and employment data. Printouts of data can be had for as little as $50/name – nearly five times the hourly salary of the average medical office receptionist. Thieves rely on finding the weak link – maybe getting a person at the front desk who might be a friend (of a friend) or relative to hand over that data for a price. And the more they can get, the more they get paid since the more your records say about you, the more valuable they are to potential identity thieves.
- Your data gets studied and refined. In sophisticated criminal operations – and due to available technology, operations are increasingly sophisticated – data is sorted and prepared for sale. Since Social Security numbers that can be attached to real data are more valuable than a simple list, thieves try to fill in the blanks before your data is passed along yet again. The easy stuff first? The first three digits of your Social Security number are assigned by the geographical region in which you (or your parents) were residing at the time that the number was obtained. As rules, numbers are assigned beginning in the northeast and moving westward which means that folks on the east coast have the lowest numbers and those on the west coast have the highest numbers (the remaining six digits in the number are more or less randomly assigned). And while we live in an increasingly mobile society, these basic rules provide an easy start to figuring out more information about you.
- Criminals become your virtual friend. Or they try. With access to information on sites like Facebook, criminals now know a lot more about you than they used to. You know those “secret questions” that you rely on to protect your bank account and credit card information? Yeah. Thieves know those, too. They also know, thanks to Facebook, Twitter and other social media sites, exactly where you were born, your hometown, your pet’s name and your favorite color. They know your favorite athlete and the date of your anniversary. They may even know your mother’s maiden name and your father’s first name (thanks, Zuckerberg).
Now, it’s just a matter of matching data and creating master lists that can be priced and sold.
Because you’re no longer just a random patient named Jane Smith. You’re Jane Smith, SSN 123-45-6789, born on January 1, 1970. You work at ABC Chemicals and you live at 123 Elm Street, Anytown, USA 12345. Your spouse’s name is William. You own your own home and a Subaru Outback. You have a dog named Asta that you take on trips to your favorite vacation spot in the Adironacks. You were born in Virginia. You went to Penn State for college and New York University for graduate school. You are, or more accurately, your data is worth a fortune. And it can be sold over and over.
And if you’re astonished that someone would spend the time to gather all that data and match your identifying information from across the internet, don’t be. It’s a full time job for the bad guys. And it’s worth it: according to the Federal Trade Commission, in 2011, identity theft and other scams cost Americans $1.52 billion. A report by Javelin Strategy and Research pegs the number much higher, claiming that identity fraud incidents increased by one million more consumers over the past year, and the dollar amount reached $21 billion. That works out to one incident of identity fraud every three seconds.
And when it comes to taxes, identity fraud is truly rampant: as of December 31, 2012, the IRS identified almost 1.8 million incidents of identity theft (TIGTA report downloads as a PDF). The trend continued into 2013, as the IRS reported that it had identified 220,821 tax returns with $1.86 billion claimed in fraudulent refunds well before the tax filing season even came to a close (TIGTA report downloads as a PDF). The IRS has made tackling identity theft and tax fraud a priority with the National Taxpayer Advocate has putting the issue atop the IRS list of Dirty Dozen Tax Scams for both 2012 and 2013.
Whether your identity is stolen for tax fraud or credit card fraud or some other purpose, it can often be traced back to your Social Security number. And even though it was never intended to be, your Social Security number is the key to who you are. And giving it away can be the first step in a series of events that causes you to lose your identity.
For tips on protecting yourself from identity theft-related tax fraud, click here.