WASHINGTON, DC — The Social Security Administration has failed to inform tens of thousands of Americans that it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups.
The federal agency has kept silent about a potentially harmful security breach of the personal data of about 14,000 people each year, ignoring recommended reporting guidelines for such confidentiality breaches and violating the intent, at least, of the U.S. Privacy Act which protects personal information of private citizens.
The mistakes Social Security has made — and continues to make — with a database called the "Death Master File" underscore how federal consumer protection laws lag far behind most of the nation. Legislation in 46 states makes disclosure of such breaches mandatory, although federal agencies generally are exempt from state and local laws.
"I certainly have never been warned about this. I totally object to that," retired University of Tennessee agriculture professor John R. Jared, 68, said after a reporter recited his Social Security number and date of birth, gleaned from the database. "I'm glad to know about this."
Jared was one of 31,931 living Americans discovered in a Scripps Howard News Service review of three copies of the Death Master File. These files, which are available for purchase from many sources on the Internet, contained their Social Security numbers and birthdates — critical information needed by identity thieves.
"That's just not supposed to be public information — especially not my Social Security number," Jared said. "This needs to be corrected."
Reporters at newspapers and television stations owned by the E.W. Scripps Co. interviewed dozens of people nationwide who have suffered security breaches because of what Social Security officials have called "inadvertent keying errors" by federal workers when entering what was supposed to be information
only about dead people. None reported the federal agency warned them about the breach of their confidential information.
Most of those erroneously listed as dead who were contacted for this story said they only found out about the agency's mistakes when they suffered adverse events like frozen bank accounts, cancelled cell phones, refused job interviews, declined credit card applications, denied apartment leases or refused mortgage
and student-assistance loans.
Such events are common when the names and Social Security numbers of living Americans mistakenly are placed onto the official list of deceased persons, the Scripps investigation has found.
"Our government really needs some shaping up," said Laura Todd, 58, a Nashville woman who twice was falsely listed on the Death Master File. "I spent almost 10 years trying to get this all straightened out. No one ever sent me an apology or anything."
Social Security officials admit that, each year, they accidentally release personal information of about 14,000 living Americans by posting their files among the records of 90 million deceased Americans.
If their estimate is accurate, confidential data about more than 400,000 living Americans have been released since 1980 when the Death Master File became public under a Freedom of Information Act lawsuit.
U.S. business interests asked that the file become public to help protect them from fraud by thieves who assume the identities of dead people.
Several members of Congress have begun asking questions about errors in the Death Master File (DMF) as a result of the Scripps investigation. Social Security Commissioner Michael Astrue, who declined to be interviewed for this story, told them his agency would breach its silence if it detected indications of fraudulent activity.
"When we discover that we have included a living individual on the DMF, we take prompt action to correct our records," Astrue told Deputy Senate Majority Leader Richard Durbin, D-Ill., in a letter dated Sept. 21.
Astrue also said the breach is reported to the United States Computer Emergency Readiness Team (commonly called CERT), a part of the Homeland Security Department's Cyber Security Division.
"An independent contractor reviews all cases of inadvertent exposure of people's information to identify fraud or misuse. To date, we have found no instances of fraud of misuse," Astrue said. "However, if we did, we would immediately notify the affected individual and offer credit monitoring."
Consumer protection advocates and privacy experts are quick to lambast Social Security's actions that, they said, ignore the breach-reporting standards recommended four years ago by the Office of Management and Budget.
"This is a clear failure to follow the rules meant to warn consumers when their most private information has been exposed," said Carmen Balber, Washington director of Consumer Watchdog, a national advocacy group.
The federal government's silence about the breach prevents people from taking action to protect them from the threat of identity theft, privacy advocates said.
"Breach notice is a fundamental aspect of consumer protection," said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse. "Such notification gives individuals the information they need to take steps to rectify the situation. Without that notice, they are in a kind of Kafkaesque nightmare."
The federal government's silence about the confidential data breach would be illegal throughout most of the nation if Social Security officials had to abide by state law.
"There are data breach laws that would clearly cover this if private companies breached your Social Security number. They would be required to inform you of the breach," said Christopher Calabrese, legislative counsel for the American Civil Liberties Union and a self-described "privacy lobbyist."
"There is no federal statute on this issue for the federal government itself," Calabrese said.
The government's silence about the Social Security breach apparently violates a 2007 directive from the Office of Management and Budget ordering every agency to develop a breach notification policy when the confidentiality of personal data has been compromised.
"Notification of those affected — and the public — allows those individuals the opportunity to take steps to help protect themselves from the consequences of the breach," the OMB directive said. "Such notification is also consistent with the 'openness principle' of the Privacy Act that calls for agencies to inform individuals about how their information is being accessed and used, and may help individuals mitigate the potential harms resulting from a breach."
The California Legislature passed the nation's first mandatory privacy-breach reporting law — the Data Breach Notification Act — which first took effect on July 1, 2003. Since then, 45 other states have enacted similar requirements that companies and state agencies warn people if their personal information has been
compromised.
Only four states — Alabama, Kentucky, New Mexico and South Dakota — do not have breach laws.
"The states are almost always ahead of the federal government when it comes to consumer protection," Calabrese said. "There are several federal acts that have been proposed. But most consumer groups are concerned that a federal law will undercut the states by setting a lower standard than already exists."
(SHNS investigative reporter Thomas Hargrove can be reached at [email protected].)
