October 5, 2012

University error reveals thousands of employee SSNs

A mailing error last month that revealed the Social Security Numbers of more than 9,000 University employees may prove to be a costly mistake for everyone involved, as administrators urge staffers to protect themselves from identity theft and pledge to pay for expensive credit-monitoring services.

The mistake occurred on Monday, September 24, during a routine task: reminding employees to re-enroll in their annual health benefits. Only this time, on the postcards sent out, each recipient’s SSN was printed just below the address line. The postcards were not in envelopes.

Four days later, Gwynne Dilday, an associate vice president in Human Resource Services, sent out an e-mail to the roughly 9,100 recipients explaining the gaffe, apologizing, and directing staff to take steps on their own to protect their identities.

Dilday urged staffers to dispose of the postcard, “treating it as you would any sensitive document.” She also recommended that they place a 90-day fraud alert on their credit reports, usually the first line of defense when someone suspects that his or her identity has been compromised.

The University is also offering to pay for one year of credit monitoring for any of the recipients, through Austin-based company AllClear ID. Credit-monitoring services keep tabs on clients’ credit files, which are maintained by the three national credit reporting agencies, Experian, Equifax, and TransUnion. Suspicious activity—like the opening of new credit cards, for example—is reported to the customer.

It is unclear whether the University has an arrangement with AllClear ID, but the company charges $15 per customer a month for its services. With the University extending an open offer to some 9,000 people for twelve months each, the cost could quickly skyrocket.

Some experts in consumer protection are also doubtful of the effectiveness of such services. Susan Grant, director of consumer protection at the Consumer Federation of America in Washington, D.C., says that credit monitoring cannot adequately protect people who have lost control over that most important piece of personal information, the SSN.

“The Social Security Number is unfortunately the key that unlocks your entire identity,” she said. “That’s a much more serious breach than if something like credit card numbers is revealed.”

When an SSN is compromised, she said, the “various ways that this information could be abused are not necessarily going to show up on a credit report.” For example, if an identity thief were to use someone’s SSN to apply for government benefits or to get a job, no credit-monitoring agency would know immediately.

“So just offering credit monitoring is totally inadequate,” she said.

Although countermeasures do exist—filing with local police, for example, or making the 90-day fraud alert permanent—there isn’t much that an individual can do besides keeping vigilant. By law, every American is entitled to one free credit report from one of the three credit reporting agencies each year, and may pay for more.

“Really what’s needed is providing an identity theft service that would also monitor public records and other kinds of databases where it might be revealed if someone is using your [SSN] for employment, for government benefits, for medical services, and for a host of other things that are not going to show up in a credit report,” she said.

“As for what people can do for themselves, it’s very difficult to do anything.”

Because the SSN was printed on a notice about health benefits, some employees have raised concerns that the University violated HIPAA (Health Information Portability and Accountability Act) statutes which protect against disclosures of private health-related information, according to Mila Kuntu, a union steward for Teamsters Local 743. The fines for HIPAA violations, even by accident, can be staggering, reaching up to $1,000 per breach.

Anup Malani, an endowed professor in the Law School who specializes in health care law, is doubtful that the University can be held liable. However, there are many factors to consider, such as the typical processes used to keep information private and the ways in which the University addressed any systematic or one-time problems.

“The way that HIPAA is being implemented is to encourage entities [parties with health insurance coverage] to have good processes that limit the spread of health information,” he said. “If the University of Chicago has generally good procedures in place, and this was just a breach, then [it] might be in an okay spot.”

What also matters, he explained, is whether the University has taken immediate steps to address the logistical problems that made the error possible. The absence of proper instructions, for example, might be something the University would be compelled to correct.

“Was there a flag?...Did the University respond immediately afterwards to put in those flags?” Malani said.

The provenance of the SSN is also important, since HIPAA does not apply if the information came from an employee record, rather than a health record.

The University seems to have adopted a wait-and-see approach. Administrators have not engaged with local police at the moment, according to U of C spokesperson Jeremy Manier, “because there is no indication of any criminal activity.” However, he added, employees who suspect that they are targets of identity theft should contact law enforcement and the state attorney’s office, and should alert the University “so we can use this information in our own investigation.”

Incidents of identity theft in which the criminal relied on personal information—like SSNs rather than credit card numbers—make up a relatively small proportion of identity crimes each year, according to data collected between 2005 and 2010 by the Bureau of Justice Statistics in its most recent report.

However, such crimes are still numerous: in 2010 some 775,000 households were targeted using personal information.