COLUMN-New Medicare cards a lone bright spot in identity-theft battle

(The opinions expressed here are those of the author, a columnist for Reuters.)

CHICAGO, Aug 17 (Reuters) - Older Americans are especially vulnerable to scams and identity theft, and Medicare is doing something about it. U.S. seniors will start receiving new identification cards next year as part of an effort to protect them from the rising risk of fraud.

But that is the only good news surrounding a sweeping federal initiative to bolster fraud defenses by reducing the widespread use of Social Security numbers as identifiers throughout the government.

Medicare cards use an identifier called the Health Insurance Claim Number (HICN) - but right now it is the same as your Social Security number. Starting in April 2018, the Centers for Medicare & Medicaid Services (CMS) will be mailing new cards to enrollees that use a unique, randomly assigned number.

The swap follows 2015 legislation that required CMS to stop using Social Security numbers by April 2019. But a broader effort to weed out Social Security numbers by government agencies is lagging, according to a report issued last month by the U.S. Government Accountability Office (GAO). The federal government has been working on the problem for more than a decade, but a morass of regulatory and technological issues have stymied progress.

To be fair, the problem is massive. GAO lists 24 federal agencies that use Social Security numbers in one way or another. Medicare cards were an egregious example, since seniors are especially vulnerable to identity theft. Yet CMS collects Social Security numbers from roughly 57.7 million Americans and displays them on Medicare cards.

“It’s a sobering problem,” said Cristina Martin Firvida, director of financial security at AARP. “The number of people on Medicare who hold Social Security numbers makes this a really daunting challenge.”

Medicare already has stopped using HICNs in the Medicare Summary Notices that are mailed to beneficiaries quarterly - a practice that left open the possibility of theft when mail is delivered incorrectly or stolen. The transition on Medicare cards will be automatic - recipients will be mailed new cards that utilize a unique, randomly assigned number called a Medicare Beneficiary Identifier.


Scammers reportedly are already trying to take advantage of the transition. AARP reports that some Medicare recipients have received calls from thieves telling them that they need to pay for their new Medicare cards and asking for personal information such as checking account and Medicare numbers.

A similar scam now making the rounds involves callers posing as government employees asking for personal data in order to confirm eligibility for the annual Social Security cost-of-living adjustment.

Medicare does not contact enrollees for Medicare numbers or other personal information, unless you have granted permission in advance. The only time you might receive a legitimate phone call from Medicare is if you have given CMS permission to call in advance; also, Medicare Advantage or prescription drug plans may call if you already are a member of that plan. You also might get a call from Medicare if you have left a message requesting a call-back. More information on preventing Medicare fraud can be found at the CMS website: ( The SSA does sometimes call beneficiaries for customer service purposes, but representatives never ask for personal information.

If you are not certain that a call from Medicare or Social Security is legitimate, simply hang up and call the agency back on the customer service lines: (800) 633-4227 or (800) 772-1213 for Social Security.

Meanwhile, hackers already have demonstrated their ability to do massive damage. In 2015, a break-in at the federal Office of Personnel Management (OPM) led to theft of sensitive personal data of roughly 4 million federal employees.

Martin Firvida worries about the damage that could occur if the SSA were hacked. “We’re very focused on whether the SSA is prepared for a hack - we’re very aware of how dramatic it would be if something like the OPM hack occurred at the SSA.”

The SSA has been taking steps to modernize its technology. And last year the agency moved to bolster its public website security by adding a mandatory extra layer of website log-on steps that required customers to receive a code via text message. That effort stalled when critics noted, correctly, that many older Americans do not use text messaging. In June, the SSA rolled out a revised plan that requires online users to receive a one-time text or email message to log on.

The new Medicare cards are still months away from delivery. In the meantime, AARP advises seniors not to carry their cards with them. Most of the time, that is not necessary since healthcare providers usually have their patients in their electronic systems and know how to bill them. Another idea is to make a photocopy of your card and scratch out all but the last four digits.

AARP offers a fraud prevention resource website ( that suggests strategies for protecting yourself from identity fraud. (Editing by Matthew Lewis)