This action might not be possible to undo. Are you sure you want to continue?
An obscure database causes mischief and misery
SCRIPPS HOWARD NeWS SeRvICe
About the Grave Mistakes special report
It’s a database few have heard of: a government-run, publicly available list of deceased Americans. The database, originally designed to prevent fraud, has turned into something else in the Internet era: a jackpot for identity thieves and a cause of heartache, inconvenience and loss for thousands of innocent victims. In the first in-depth examination of the unintended consequences of this Social Security Administration database — known as the “Death Master File” — Scripps Howard News Service reporters Thomas Hargrove and Isaac Wolf, and Scripps broadcast reporters, uncovered case after case of how an obscure database has created fist-pounding frustration and financial nightmares for thousands of people. The cases rival the worst of Orwell or Kafka, where innocent citizens must “prove” they are alive to a skeptical government that is convinced they are dead because a computer says so. In this, the federal government has been complicit since 1980 and lawmakers have been unconcerned. Until now. As a result of a yearlong Scripps investigation of the death file and identity theft records, members of Congress are speaking out and fixes are underway. Among the discoveries by the Scripps team, which analyzed the nearly 90 million names in the death file, along with 1.4 million identity theft complaints lodged with the federal government: • Scripps identified 31,931 Americans listed as deceased when they were in fact alive. Each month, Social Security mistakenly adds to the list another 1,200 “walking dead.” Those wrongly declared dead can’t get jobs, buy a house, open a bank account, sign a lease, obtain a credit card or even purchase a cellphone. We found one victim who was arrested on suspicion of ID fraud. • The reporters uncovered dozens of cases in 11 states where ID thieves used the Social Security numbers, available in the death file, to profit from the deaths of children. The thieves filed phony tax returns claiming the dead children as dependents, which only added to the distress of the true parents. • Identity thieves are enjoying the protection of medical privacy laws. Using purloined information, the thieves get free medical care, leaving insurance companies and honest patients to pay. The fraud puts the honest patients at physical risk because medical providers refuse, citing privacy laws, to give access to the medical records falsely created in their names. In one case, a bogus medical file created with an ID thief ’s health information almost led to a patient receiving a transfusion of the wrong type of blood. Reaction to the stories has been swift. Rep. Sam Johnson, R-Texas, held a House committee hearing on the death-file abuses in February 2012, and has introduced legislation to restrict access to the records. Social Security Commissioner Michael Astrue, who revealed that a close relative had been erroneously listed as dead, acknowledged the “havoc” such errors can cause, and told Congress his agency is reexamining its policy of not informing victims of the mistake. And Social Security decided to significantly curtail the amount of personal information it includes in the death database. In the wake of the Scripps stories, Sens. Bill Nelson, Sherrod Brown, Richard Blumenthal and Richard Durbin wrote to officials at genealogy websites, which post the death-file records online, and urged them to curtail the public listing. The largest such site — Ancestry.com — ended the practice in response. And Rep. Frank Pallone, of New Jersey, the top Democrat on a House health panel, is pursuing legal changes that would allow victims of medical ID theft to correct their own medical files. I am proud to present these stories — which identified a hidden danger and persuaded the people responsible to fix it — as an example of the public service to which Scripps journalists are committed. Sincerely, Peter Copeland Editor & General Manager Scripps Howard News Service
About the Grave Mistakes special report Social Security clerically kills thousands of Americans each year Americans face woes after being ‘killed off’ by Social Security Social Security death list enables ID theft, tax fraud ID thieves cashing in on dead children’s information What can a parent do? Not much. Social Security kept silent about private data breach Social Security chief concedes it is ‘havoc’ for wrongly dead Social Security ‘death file’ foul-ups hit home for agency’s chief Geneaology sites remove Social Security numbers of deceased Bill aims to stop ID thieves from profiting off children’s deaths 9/11 victims missing from death list ‘Death file’ errors threaten research Social Security cuts info in online file used by bank, ID thieves Docs withhold records from victims of medical ID theft Tax-refund ID thieves face crackdown Social Security ‘Death File’ designed to fight fraud but now aids it Medical ID theft victims need way to fix records, lawmaker says Tax refunds newest target in ID thefts Editorial: Congress should require notification of security breach Making news across America Editorial: Feds must stop scam of stealing from dead children
2 Reporters 4 8 10
Lee Bowman Thomas Hargrove Waqas Naeem Isaac Wolf Editorial writer Dale McFeatters Lead editor Editors
12 Lisa Hoffman 16 Peter Copeland 17 Bob Jones 20 22 24
David Nielsen Photo editor Sheila Person Multimedia editors Danielle Alberti Jason Bartz Kristin Volk Carol Guensburg
25 Multimedia reporter 26 28 31 32 35 36 37 38 41 42 44
202-408-1484 or firstname.lastname@example.org. Our website www.scrippsnews.com
Scripps Howard News Service is part of the E.W. Scripps Co.
SCRIPPS HOWARD NeWS SeRvICe
Social Security clerically kills thousands of Americans each year
By Thomas hargrove Scripps Howard News Service may 23, 2011
The Social Security Administration each month falsely reports that nearly 1,200 living Americans have died. These clerical errors, found in a federal database ominously titled the “Death Master File,” might be darkly humorous — evoking Mark Twain’s famous quip that death reports can be greatly exaggerated — were not the consequences so severe. “It has just been one thing right after another since I found out that I was dead,” said an unsmiling Judy C. Rivers, 58, of Jasper, Ala. “Right now, I am still looking for a job. I hate to give out my Social Security number because I know exactly what is going to happen.” Dozens of times, Rivers has been told that her Social Security number is inactive because she’s deceased. Police detained her for several hours last year under suspicion of identity fraud when she tried to use her debit card at a local Walmart. She’s been denied college aid and home-refinance
loans, been refused job interviews because of irregularities in her file and been rejected 14 times for credit cards. “All of them said basically the same thing: ‘The Social Security number cannot be confirmed’ or ‘Social Security number deactivated due to death,’” Rivers said. The Social Security Administration has denied that it was the source of the error in Rivers’ records and gave her letters certifying that she is alive and that her Social Security account is active. “We make it clear that our death records are not perfect and may be incomplete or, rarely, include information about individuals who are alive,” said Social Security Administration spokesman Mark Hinkle. Scripps Howard News Service obtained three copies of the federal death file — widely available to anyone on the Internet — from 1998, 2008 and 2011. By comparing the files, Scripps easily identified 31,931 living Americans who
SHNS photo by Thomas Hargrove
“I don’t think most Americans are aware that … the most private information is available directly from the government,” said Carmen Balber, Washington director for the nonprofit group Consumer Watchdog.
were listed as deceased in 1998 or 2008 but were later taken off the death list after the Social Security Administration realized the errors. The Death Master File was created in 1980 at the request of U.S. business interests to prevent consumer fraud. The massive database listing 90 million deceased Americans is widely distributed throughout government and among credit, banking and other private business groups. The file is used to allocate federal benefits like Social Security and Medicare and to determine eligibility for bank loans, credit cards and insurance coverage. Employers looking for irregularities in a prospective employee’s background access the file as part of routine background checks. The United Network for Organ Sharing — a private, nonprofit organization that manages the U.S. organ-transplant system under a contract with the U.S. Department of Health and Human Services — even uses the DMF to
determine eligibility of organ-transplant candidates. Hinkle said about one in every 200 entries the Social Security Administration makes to the Death Master File is false because of “inadvertent keying errors” by federal workers. That means about 14,000 people are wrongly listed as deceased among the approximately 2.7 million deaths reported annually, Hinkle said. “Living individuals are sometimes included in the DMF; however, it is a very small percentage,” Hinkle said. Newspapers and television stations owned by the E.W. Scripps Co. around the nation contacted dozens of the clerical victims of the Death Master File. Many reported profound impact upon their creditworthiness. Mary Dubord of Newburgh, Ind., was falsely listed following the 1994 death of her mother-in-law, Myrtle Dubord. Her Social Security payments stopped and the Internal Revenue Service began questioning her income tax
SCRIPPS HOWARD NeWS SeRvICe
Incorrect Social Security death
Scripps Howard News Service identified 31,931 Americans who had been falsely listed as deceased by the Social Security Administration in its Death Master File. Of these, the federal agency provided enough information to determine the state of residence of 24,045 people. Error rate per 100,000 population within each state
WA MT OR ID WY NV CA NE UT CO KS OK ND SD IA IL MO TN AR MS TX AK LA FL AL GA MN WI NY MI PA IN KY SC OH WV VA NC VT
ME NH CT NJ DE MD DC
State Alabama Alaska Arizona Arkansas California Colorado Connecticut Delaware D.C. Florida Georgia Hawaii Idaho Errors Rate 415 8.7 11 1.6 404 6.3 242 8.3 2,872 7.7 322 6.4 350 9.8 88 9.8 108 17.9 1,194 6.4 766 7.9 89 6.5 77 4.9 Illinois 1,695 13.2 Indiana 450 6.9 Iowa 149 4.9 Kansas 147 5.2 Kentucky 351 8.1 Louisiana 682 15.0 Maine 85 6.4 Maryland 505 8.8 Massachusetts 661 10.1 Michigan 882 8.9 Minnesota 296 5.6 Mississippi 267 9.0 Missouri 453 7.6
Source: Scripps Howard News Service analysis of the Social Security Administration’s Death Master File for 1998, 2008 and 2011.
Montana 68 Nebraska 96 Nevada 124 New Hampshire 66 New Jersey 715 New Mexico 139 New York 1,794 North Carolina 642 North Dakota 29 Ohio 1,054 Oklahoma 357 Oregon 234 Pennsylvania 1,191
6.8 5.3 4.6 5.0 8.1 6.8 9.3 6.7 4.3 9.1 9.5 6.1 9.4
Rhode Island 134 12.7 South Carolina 243 5.3 South Dakota 39 4.8 Tennessee 481 7.6 Texas 1,511 6.0 Utah 97 3.5 Vermont 34 5.4 Virginia 511 6.4 Washington 446 6.6 West Virginia 144 7.8 Wisconsin 314 5.5 Wyoming 21 3.7 USA 24,045 7.8
statements. She eventually gave up her struggles with credit bureaus and relies on credit cards obtained by her husband for daily life. “You don’t want to have the name ‘M. Dubord,’” she said. Others resorted to unusual tactics when making major purchases. “I can only buy cars from one particular salesman (who) already knows that somewhere along the line, I am going to get SHNS photo by Scott Mauldin / Vulcan Media flagged for being dead,” Judy Rivers of Jasper, Ala., reviews the voluminous paperwork generated in her quest to said Amy Duckworth rejoin the living. of Memphis, Tenn. “Fortunately, he knows I am still alive.” 32,000 living Americans — the kind of information that is Others faced significant consequences that lasted many automatically released when people die. Experts warn that years. this information is all a thief would need to commit many “I couldn’t get a mortgage because, well, dead people kinds of identity fraud. can’t get mortgages,” said Laura Todd, 58, of Nashville, “This information should not be public. It puts all of Tenn., who was put on the list in 1999, taken off and inexthese people at risk for identity theft and other forms of plicably put back on a few years later. fraud. It’s a shame,” said Beth Givens, executive director From 1999 through 2008, Todd suffered cancellation of the San Diego-based Privacy Rights Clearinghouse, a of her medical disability payments, two refusals by the IRS nonprofit consumer advocacy group that has received comfor her federal income tax refunds, cancellation of her credit cards and freezes placed upon her bank accounts. A fam- plaints from victims of false death reporting. “The Social Security number, unfortunately, has taken ily member even called Todd to warn that a record of her on a lot more purposes than it was originally meant to. It is death was posted on a genealogy website. being used both as an identifier and an authenticator. That “I spent almost 10 years trying to straighten this all should not have been allowed to happen.” out. No one ever sent me an apology or anything,” Todd Some want an end to the wide public distribution of said. “The scary thing is that there are more and more baby the death file. boomers who are going to start applying for benefits. If they “We don’t believe that such private information about don’t get this system in tow, it is going to get worse.” Americans should be so readily available online,” said CarConsumer experts warn it’s the false death reports that men Balber, Washington director of the nonprofit Conare the most worrisome problem with the Death Master sumer Watchdog advocacy group. She called on the Social File. Security Administration to create a more secure method of Scripps easily obtained the full names, Social Security confirming if a Social Security number is active. numbers, dates of birth and residential ZIP codes of nearly
SCRIPPS HOWARD NeWS SeRvICe
Americans face woes after being ‘killed off’ by Social Security
By Thomas hargrove Scripps Howard News Service aug. 1, 2011
Esther Enos, 61, of Abilene, Texas, found out she was “dead” when her cellphone suddenly stopped working about six years ago. “They cut off my service and I went to find out why,” Enos told the Abilene Reporter-News in Texas. “They said I was using the Social Security number of a deceased woman.” Many others found out while shopping. “Well, I’m standing right here in front of you,” retired truck driver Johnny Blevins, 69, of Seymour, Tenn., told a Radio Shack clerk who said his Social Security number indicated that he is deceased. “He still wouldn’t sell me a phone.” The Knoxville News Sentinel in Tennessee reported that the federal records’ error resulted in Blevins’ banking account being frozen. Enos and Blevins are among 31,931 Americans whose names were discovered by Scripps Howard News Service in a search for errors in the massive “Death Master File” database maintained by the Social Security Administration. The government makes about 14,000 such errors every year — or about 1 out of every 200 death reports — because of “inadvertent keying errors” by federal workers, according to Social Security spokesman Mark Hinkle. That would mean more than 400,000 people have been falsely declared dead since 1980, when the Death Master File was created at the request of U.S. business interests who wanted the records to reduce consumer fraud. People on the receiving end of the errors report they’ve suffered serious damage to their creditworthiness and, frequently, considerable financial hardship. Taryn Jerez, 22, of Tampa, Fla., found out when she applied for a student loan. “Unfortunately, the bank is unable to approve your request for the reason stated below — deceased,” Jerez said, quoting her letter of denial to a WFTS reporter in Tampa. As a precaution, Jerez now travels with a special docu-
ment in her car’s glove box. “I keep a copy of the paper from Social Security stating that I am, in fact, alive,” she said. Brigitte Bartels, 64, of Phoenix found out in 1995 when she applied for a bank checking account after she was divorced. “They looked at me and said, ‘We don’t open an account for a deceased person,’” Bartels told KNXV television in Phoenix. The problems continued for 15 years, causing her difficulties with the Internal Revenue Service and several employers, and with her Social Security benefits. She became a frequent visitor to the Phoenix Social Security office. “Ten times I went down and said: ‘Here’s my driver’s license. Do I look dead?’” she said. “It seemed like every couple of years I would have to go back and prove I wasn’t dead. I kind of made a joke out of it, and it wound up not being so funny.” Marion Franciosa, 91, of Delray Beach, Fla., for several years was denied an official Florida ID card, a critical document for many routine transactions like cashing a check or making major purchases. “Gee, at this age, I should have so much trouble?” Franciosa asked WPTV of West Palm Beach, Fla. “It didn’t seem right. Here I am, alive, and they have me down as dead.” Dwayne Williams, 47, of Grosse Ile Township, Mich., found out during a very unusual telephone call in 1995 after he applied to lease an apartment. “They asked to speak with Dwayne Williams. ‘So, OK, you’re speaking with him,’” Williams told WXYZ television in Detroit. “Then there was a pause. ‘Dwayne Williams?’ I said, ‘Yes.’ ‘Umm, it says here you’re deceased.’” He thought he’d cleared up the error with a visit to his local Social Security office. But a year later, Williams was denied a credit card because the bank could not verify his Social Security number. “It cropped up again saying I’m dead, so I had to prove
SHNS photo courtesy of Library of Congress
From its first days in 1937, the Social Security Administration has faced an enormous challenge tracking millions of Americans. Here, an unnamed federal worker monitors issuance of employee master cards. “Chances of a mechanical error escaping detection are infinitesimal in the Social Security Board Records Office and great care is exercised to guard against human error,” the Social Security Administration assured when releasing this photo.
it again,” Williams said. Walter Norris, 76, of Oak View, Calif., found out in 1997 when he and his wife tried to make a credit-card purchase at a local Target department store. The charge was denied. “Later on that day we went to Costco and tried to get gas and it popped up again,” Norris told the Ventura County Star in California. “There weren’t any funds in the bank.” He later learned that Social Security had pulled all of their funds out of their checking account — a common complaint among retirement recipients who were falsely reported dead.
Scripps first reported problems with the Death Master File in a series of stories released July 10, 2011. Among the victims of the accounting errors was Judy C. Rivers, 58, of Jasper, Ala., who was detained by police for several hours, denied college and mortgage loans, suffered difficulties obtaining job interviews and was denied credit cards 14 times. “I’ve had people call me from all over the country,” Rivers said as a result of the story. “I send them a list of the proper authorities whom they should be dealing with. If they are close enough, I’ll go to the Social Security office to try to help them if I can.”
SCRIPPS HOWARD NeWS SeRvICe
Social Security death list enables ID theft, tax fraud
By Thomas hargrove and Isaac Wolf Scripps Howard News Service Nov. 3, 2011
A little-known but widely used federal database meant to protect Americans from fraud has itself become a major source of mischief and misery. Crooks are pocketing fraudulent tax refunds after filing returns with personal information about recently deceased people found in the Social Security Administration’s “Death Master File,” which is widely available on the Internet, federal authorities and consumer experts say. The Internal Revenue Service — citing data it is making public for the first time at the request of Scripps Howard News Service — estimates that tax filers improperly submitted 350,000 returns on dead Americans this tax season, improperly seeking up to $1.25 billion in refunds. Parents who recently lost a child are increasingly targeted by these thieves, experts say. Armed with the deceased child’s Social Security number and other personal information, the crooks falsely claim them as dependents and have the refunds routed to them. Among the victims is Matt Pilcher of Potomac, Md., who still grieves over the 2010 death of his daughter, Ava, from lung disease following her premature birth. Pilcher’s 2010 income tax filing was rejected by the IRS because someone else claimed Ava as a dependent. “All we really have is her memory and her name,” Pilcher said. “For someone to try to take that, to steal that, to appropriate that for themselves — it’s beyond reprehen-
sible.” The Death Master File contains the names, birthdates and Social Security numbers of more than 90 million deceased Americans. It is updated every week and can be accessed for free at several genealogy websites. “We were able to go on a website and found all her information there. The Death Master File is where they (crooks) got that information,” Pilcher said. A relic of simpler times, the death file was created in 1980 under the new Freedom of Information Act at the request of U.S. businesses seeking a tool against identity theft. In that post-Watergate and pre-Internet era, it seemed like an open-government solution to the rising problem of consumer fraud. But serious problems stemming from the Death Master File recently have come to light. The Social Security Administration, in response to an investigation by Scripps Howard, acknowledged in May that it accidentally lists about 14,000 living Americans each year in the death database. People who are inaccurately listed as dead frequently fall into an Orwellian nightmare in which they have trouble getting jobs, opening bank accounts, buying cars, renting apartments, or even purchasing mobile telephones. But the discovery that the database also has become a major source of tax fraud is an especially troubling wrinkle
for federal authorities and consumer protection experts. And there is little that grieving parents can do to protect themselves if thieves decide to take their dead child’s name, birthdate and Social Security number. Identity crooks need only file for a tax refund before the family can. “Criminals have found the perfect loophole,” said Joanna Crane, former manager of the Federal Trade Commission’s Identity Theft Program. “It doesn’t give the IRS time to detect that something is wrong. By the time they do, the money is already out the door.” It’s especially embarrassing that a federal anti-fraud database enables the crimes. “This is such a mess,” concluded Nikki Junker, a victim adviser for the San Diego-based Identity Theft Resource Center. “Identity theft is growing very quickly. It’s just insane, all of these public sites that are posting this information.” The Social Security Administration says it is powerless to act. “The information that is released via the public (Death Master File) is the information that must be disclosed under the Freedom of Information Act,” Social Security spokesman Mark Hinkle said. “Congress would need to amend FOIA laws in order for us to limit the amount of information that we are obligated to make public under the law.” Other federal authorities question whether the law forces the agency to remain so passive. “If the SSA feels it must ask the court that entered a consent judgment in a 1980 FOIA case to modify the judgment, it should do so,” said Nina Olson, head of the IRS’ internal watchdog office. The database poses a dilemma for major genealogy firms. “We understand that there is some sensitivity around this database, which is why we only disclose information provided by the Social Security Administration that has already been made public,” said Heather Erickson, spokeswoman for Ancestry.com, which claims to be the world’s largest genealogy site. Officials at The Church of Jesus Christ of Latter-day Saints (Mormon) said the federal government does not allow them — or others — to redact Social Security numbers they post on the site they administer, FamilySearch.org. “By contract, the records received from the Social Security Administration must be posted in their entirety,” said Chief Genealogical Officer David Rencher in Salt Lake City. “This same subscription service is also used by organizations including banks, credit unions and credit bureaus to protect against identity fraud.” Without directly responding to Rencher’s comment, a spokesman for the U.S. Department of Commerce, which distributes the death file, provided a copy of the agreement users must sign. It says users must make regular updates to the “full file” so that it is “up to date with SSA’s records.” For years, watchdogs have railed against the Death Master File. In a scathing 2008 audit, Social Security’s Inspector General’s Office urged the agency to: — Wait at least a year before posting private information about deceased Americans. Such a delay would improve the accuracy of the information and decrease its usefulness to tax cheats. — Limit the amount of information released in the list, especially to “explore alternatives to inclusion of the full” Social Security number. The audit also addressed concerns about the approximately 14,000 living Americans whose names and SSNs are released each year, saying the agency breaks federal law by releasing that private information. In these cases, the report called on the agency to notify living Americans of the mix-ups. Social Security officials asked the inspector general to keep its report secret since it “highlights the issue” that the Death Master File can be used for fraudulent purposes and “could encourage misuse.” The agency agreed to consider the recommendations, but so far has not enacted any of them. “While we believe that wider notification (to people at risk) is a piece of that protection, we also believe that narrowing the range of information included in the public release, delaying the public release to allow for corrections, and similar actions are at least as important,” Assistant Inspector General Jonathan Lasher told Scripps Howard. Lasher said his office earlier issued a new review criticizing Social Security for not acting on its recommendations which “are based on concerns that more can be done.” Pilcher, the Maryland dad, wants policy changes — and justice. Although federal authorities refuse to provide any details about who claimed Ava on their tax return; the IRS says it cannot divulge private information about anyone’s tax filings — Pilcher vowed to find the culprit. “I don’t care how long it takes,” he said. “I’m going to find out who did it!”
SCRIPPS HOWARD NeWS SeRvICe
ID thieves cashing in on dead children’s information
By Isaac Wolf and Thomas hargrove Scripps Howard News Service Nov. 3, 2011
Identity thieves are cashing in on dead children across the nation, stealing their Social Security numbers to collect fraudulent tax refunds from the Internal Revenue Service. Grieving families say their anguish is amplified by the realization that the crooks get help from an unexpected source: the Social Security Administration itself. “To see someone acting so evil, so despicable they would prey on children — you would think it’s untouchable,” said Neely Agin, of Arlington, Va. “I’d think there is some human decency.” Crooks this year stole the identity of Alexis Agin, a spunky 4-year-old with thick-lashed blue eyes, an insatiable appetite for Italian wedding soup, and a smile that capti-
vated the doctors trying to defeat her inoperable brainstem tumor. After Alexis died in January, parents Neely and Jonathan Agin requested an extension from the IRS and filed their tax return in October. When their accountant informed them Oct. 13 that Alexis had already been claimed as a dependent, they said they were “flabbergasted.” The Agins have not yet received their refund, but the IRS typically resolves these cases in about six weeks, other families report. Scripps Howard News Service identified 28 families from California to Georgia who say thieves sought to profit off their dead children by claiming them as dependents.
SHNS photo by Bill Clark / for Scripps Howard News Service
SCRIPPS HOWARD NeWS SeRvICe
Because the IRS will not provide ID theft victims with details about the fraudulent filers — ironically, the crooks also have a right to privacy, the agency says — Jonathan Agin and other victims say they have no idea who claimed their children or how. But he and other victims are convinced that the thefts stemmed from the easy online availability of their children’s SSNs. Federal officials say ID thieves find their victims in a publicly available federal database: Social Security’s “Death Master File.” It records and lists information about everyone who dies in the United States, including Social Security numbers and birth dates. The Death Master File, which was created in 1980 to help financial institutions fight fraud, has also been posted — and updated weekly — online for years by popular genealogy sites, including Ancestry.com, which charges a nominal fee, and FamilySearch.org, a free site run by The Church of Jesus Christ of Latter-day Saints, the Mormons. Although there is no national tally of the purloined use of dead children’s identities, the threat has mushroomed in the last five years, said Pat Loder, executive director of The Compassionate Friends USA, a nonprofit organization in Oak Brook, Ill., that serves grieving parents and families. As a protection, Loder has directed the group’s 630 U.S. chapters to stop posting deceased children’s birthdays in local newsletters. “Their identities are ripe for the picking,” Loder said, blaming the Internet for the surge in risk. “Times change, and the world now is not the one we used to live in.” It is not just deceased children whose IDs are being stolen. Officials at the IRS, responding to an ongoing Scripps investigation into identity theft, for the first time revealed the staggering scope of the problem: Shady tax filers submitted an estimated 350,000 returns on dead Americans this tax season to falsely claim $1.25 billion in refunds. “It takes a sick individual to do this,” said Pamela DeVille of Lafayette, La. DeVille’s life became a nightmare after her daughter Alayiah — whose infectious smile, long curly hair and beautiful face would “light up a room” — fell down a flight of stairs, broke her neck and died at age 13 in January 2009, DeVille said. When DeVille filed her tax return three months later, the IRS rejected it. Someone else had already claimed the teen as a dependent. DeVille said she had no idea how Alayiah’s Social Security number could have been taken — until a reporter told her it was released by the federal government and posted on several websites. “That’s horrible! Isn’t there any type of law against that?” she asked. The answer is no. “It is frankly appalling,” said Nina Olson, head of the IRS’ independent consumer watchdog office. She said the federal government “aids and abets identity and tax fraud” by releasing full Social Security numbers. Olson said Congress should take action. Social Security officials acknowledge that the records they release are misused, but said a 31-year-old federal court order hamstrings them from fixing the problem. “It is tragic that unscrupulous individuals use the public DMF” — the Death Master File — “to commit tax fraud,” spokesman Mark Hinkle told Scripps. “But our hands are tied, however, and change will only happen if Congress acts.” Representatives of Ancestry.com, which says it is the world’s largest genealogy website, and FamilySearch.org, the Mormon-backed one, both defended the practice of posting full Social Security numbers, saying that they are merely publicizing information that has already been released by the federal government. But some U.S. officials, and many victims and privacy groups, say something must be done to curb the easy availability of the Social Security numbers. Suggested fixes include restricting the use of the Death Master File, delaying how quickly the information is released, or making public only the last four digits of Social Security numbers. “I can’t understand why it’s necessary to display a whole Social Security number,” said Lisa Watters. Her 5-year-old son, Benny, a bespectacled blond boy who played pingpong from his hospital bed while fighting a brainstem tumor for more than two years, died in September 2010. After obtaining an extension, Benny’s family in Lake Forest, Ill., filed a tax return in August 2011, only to have it rejected. The parents have re-filed by mail and are awaiting a refund. Lisa Watters points the finger at the genealogy websites — Benny’s number is readily available on FamilySearch. org. “It just seems like such a simple fix,” she said. Taxpayer advocate Olson said that after the IRS instituted a new anti-fraud filter in April, it red-flagged 200,000 questionable tax returns suspected of improperly claiming dead people. Those returns had sought more than $850
SHNS photo by Bill Clark / for Scripps Howard News Service
Jonathan and Neely Agin’s daughter, Alexis, died of brain cancer. The grieving couple, from Arlington, Va., say their daughter’s Social Security number has been used fraudulently. Alexis loved snow globes and made this one before dying at age 4.
million in tax refunds. Had that defense system been in place for the entire tax-filing season, it would have stopped another 150,000 questionable returns claiming the dead — worth an extra $400 million in refunds, she said. While noting that the filters are not perfect at detecting fraud, her office pointed to them as proof of the billion-dollar scope of the theft. It’s unknown if the crooks who stole Benny Watters’ ID submitted their false claim before the IRS had instituted its new filter, or after. The IRS would not speak on the record about misuse of the Death Master File, and said federal law prohibits it from talking about specific cases. In a statement, the agency said it focuses on preventing, detecting and resolving ID theft. Even when families are warned about the ID theft
threat, there’s little they can do to prevent it. When Marine Corps Lt. Col. Ryan Reilly’s 7-year-old son died June 22, 2009, after a long bout with a brainstem tumor, the funeral home director alerted Reilly that someone might try to cash in on young Liam’s death. He was right. In March 2010, the Spotsylvania, Va., family’s tax return was rejected, and the IRS said only that someone had already claimed a tax credit for Liam. “It rubs raw all those wounds again,” Reilly said of learning his son’s identity was stolen. Reilly demanded answers, sending the IRS “a pretty strong letter saying, ‘I want to know what happened.’” Reilly never received an agency response — except for his refund about six weeks later, he said.
SCRIPPS HOWARD NeWS SeRvICe
What can a parent do? Not much.
By Isaac Wolf Scripps Howard News Service Nov. 13, 2011
There’s not much parents can do to prevent a thief from stealing their dead child’s personal information. Once a child’s death is reported to the Social Security Administration, the agency records the child’s Social Security number and birth and death dates in its “Death Master File.” From there, the information becomes publicly available, for free on some genealogy websites and otherwise for a fee. Then, it’s open season for thieves, who scan the updated file for a newly dead child, then quickly turn around and use the child’s Social Security number and other sensitive information to file a fraudulent tax return claiming the child as a dependent. The crooks route the refunds to themselves. The first grieving parents learn of the scam is usually months later when they file their tax return and the Internal Revenue Service rejects it because the child already has been claimed as a dependent. Families interviewed by Scripps Howard News Service said that they had to re-file their 1040 forms to the IRS, which generally sent them their rightful refund in six to eight weeks. So how can you prevent a child’s identity information from being made public? The short answer is: You can’t. The Social Security Administration says it is re-
quired by law to make the information publicly available. Genealogy sites say their hands are tied, and they cannot remove or redact the information that appears online for anyone to see. The IRS says it is trying to combat the fraud — the agency has assembled a growing staff to investigate the thefts, and this year it introduced filters to identify bogus claims. But the IRS will not divulge any information about cases, and says it must respect the privacy of all filers — crooks included. Among the few steps you can take: • File taxes early. The IRS typically processes returns in the order received. Try to get your 1040 to the taxman before an impostor has a chance to claim your child. • Don’t expect answers. By law, the IRS cannot share information about the person who claimed your child. So let go of any desire to hunt down the culprit yourself. • Contact credit bureaus. It’s possible the thief also tried to use your child’s name to take out credit cards or turn on utilities. To find out, contact the credit-rating agencies: Experian, Equifax and TransUnion. • Brace for it. Families hit with this type of ID theft say the worst aspect of the crime is the awful realization that someone tried to exploit a child’s death for profit.
Social Security kept silent about private data breach
By Thomas hargrove Scripps Howard News Service oct. 13, 2011
The Social Security Administration has failed to inform tens of thousands of Americans that it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups. The federal agency has kept silent about a potentially harmful security breach of the personal data of about 14,000 people each year, ignoring recommended reporting guidelines for such confidentiality breaches and violating the intent, at least, of the U.S. Privacy Act, which protects personal information of private citizens. The mistakes Social Security has made — and continues to make — with a database called the “Death Master File” underscore how federal consumer protection laws lag far behind most of the nation. Legislation in 46 states makes disclosure of such breaches mandatory, although federal agencies generally are exempt from state and local laws. “I certainly have never been warned about this. I totally object to that,” retired University of Tennessee agriculture professor John R. Jared, 68, said after a reporter recited his Social Security number and date of birth, gleaned from the database. “I’m glad to know about this.” Jared was one of 31,931 living Americans discovered in a Scripps Howard News Service review of three copies of the Death Master File. These files, which are available for purchase from many sources on the Internet, contained
their Social Security numbers and birth dates — critical information needed by identity thieves. “That’s just not supposed to be public information — especially not my Social Security number,” Jared said. “This needs to be corrected.” Reporters at newspapers and television stations owned by the E.W. Scripps Co. interviewed dozens of people nationwide who have suffered security breaches because of what Social Security officials have called “inadvertent keying errors” by federal workers when entering what was supposed to be information only about dead people. None reported the federal agency warned him or her about the breach of confidential information. Most of those erroneously listed as dead who were contacted for this story said they only found out about the agency’s mistakes when they suffered adverse events like frozen bank accounts, canceled cellphones, refused job interviews, declined credit card applications, denied apartment leases or refused mortgage and student-assistance loans. Such events are common when the names and Social Security numbers of living Americans mistakenly are placed onto the official list of deceased persons, the Scripps investigation has found. “Our government really needs some shaping up,” said Laura Todd, 58, a Nashville, Tenn., woman who twice was falsely listed on the Death Master File. “I spent almost 10
SCRIPPS HOWARD NeWS SeRvICe
Letter to the IRS from John R. Jared after he learned he’d been listed as dead. He didn’t discover his Social Security number and other personal information had been made public until he was contacted by Scripps.
years trying to straighten this allout. No one ever sent me an apology or anything.” Social Security officials admit that, each year, they accidentally release personal information of about 14,000 living Americans by posting their files among the records of 90 million deceased Americans. If their estimate is accurate, confidential data about 400,000 living Americans have been released since 1980, when the Death Master File became public under a Freedom of Information Act lawsuit. U.S. business interests asked that the file become public to help protect them from fraud by thieves who assume the identities of dead people. Several members of Congress have begun asking questions about errors in the Death Master File (DMF) as a result of the Scripps investigation. Social Security Commissioner Michael Astrue, who declined to be interviewed for this story, told them his agency would breach its silence if it detected indications of fraudulent activity.
“When we discover that we have included a living individual on the DMF, we take prompt action to correct our records,” Astrue told Deputy Senate Majority Leader Richard Durbin, D-Ill., in a letter dated Sept. 21. Astrue also said the breach is reported to the United States Computer Emergency Readiness Team (commonly called CERT), a part of the Homeland Security Department’s National Cyber Security Division. “An independent contractor reviews all cases of inadvertent exposure of people’s information to identify fraud or misuse. To date, we have found no instances of fraud or misuse,” Astrue said. “However, if we did, we would immediately notify the affected individual and offer credit monitoring.” Consumer protection advocates and privacy experts are quick to lambaste Social Security’s actions which, they said, ignore the breach-reporting standards recommended four years ago by the Office of Management and Budget. “This is a clear failure to follow the rules meant to warn
consumers when their most private information has been exposed,” said Carmen Balber, Washington director of Consumer Watchdog, a national advocacy group. The federal government’s silence about the breach prevents people from taking protective action against the threat of identity theft, privacy advocates said. “Breach notice is a fundamental aspect of consumer SHNS photo by Paul Efird / Knoxville News Sentinel protection,” said Beth Givens, direc- John R. Jared, a retired University of Tennessee agriculture professor, learned the federal government accidentally released his Social Security number and other personal data. “I tor of the San Di- totally object to that,” he said. ego-based Privacy Rights Clearinglows those individuals the opportunity to take steps to help house. “Such notification gives individuals the information protect themselves from the consequences of the breach,” they need to take steps to rectify the situation. Without that the OMB directive said. “Such notification is also consistent notice, they are in a kind of Kafkaesque nightmare.” with the ‘openness principle’ of the Privacy Act that calls for The federal government’s silence about the confidential agencies to inform individuals about how their information data breach would be illegal throughout most of the nation is being accessed and used, and may help individuals mitiif Social Security officials had to abide by state law. gate the potential harms resulting from a breach.” “There are data breach laws that would clearly cover this The California Legislature passed the nation’s first if private companies breached your Social Security number. mandatory privacy-breach reporting law — the Data They would be required to inform you of the breach,” said Breach Notification Act — which first took effect on July Christopher Calabrese, legislative counsel for the American 1, 2003. Since then, 45 other states have enacted similar reCivil Liberties Union and a self-described “privacy lobbyquirements that companies and state agencies warn people ist.” if their personal information has been compromised. “There is no federal statute on this issue for the federal Only four states — Alabama, Kentucky, New Mexico government itself,” Calabrese said. and South Dakota — do not have breach laws. The government’s silence about the Social Security “The states are almost always ahead of the federal govbreach apparently violates a 2007 directive from the White ernment when it comes to consumer protection,” Calabrese House Office of Management and Budget ordering every said. “There are several federal acts that have been proposed. agency to develop a breach notification policy when the But most consumer groups are concerned that a federal law confidentiality of personal data has been compromised. will undercut the states by setting a lower standard than al“Notification of those affected — and the public — already exists.”
SCRIPPS HOWARD NeWS SeRvICe
Social Security chief concedes it is ‘havoc’ for wrongly dead
By Thomas hargrove Scripps Howard News Service sept. 27, 2011
Social Security Administration Commissioner Michael Astrue has conceded that mistakes by his agency “can wreak havoc” for the estimated 14,000 living Americans who each year are falsely reported as dead. “I take the accuracy of our records and the protection of the personal information that the public entrusts to us very seriously,” Astrue assured Senate Democratic Whip Dick Durbin of Illinois in a letter released this week. Durbin asked Astrue to respond to questions raised by a Scripps Howard News Service investigation. At issue is Social Security’s little-known but widely used database called the “Death Master File” (DMF), which is supposed to list the Social Security numbers of 90 million deceased Americans to protect U.S. businesses and consumers from identity fraud.
About 1 in every 200 entries is false, officials say, because of “inadvertent keying errors” by federal workers. “We know that the relatively few serious errors, including posting information about someone who is not deceased, can wreak havoc for that person,” Astrue told Durbin. “When we discover that we have included a living individual on the DMF, we take prompt action to correct our record.” Scripps obtained three different copies of the database, compared them, and easily identified 31,931 Americans who were inappropriately listed as dead. Scripps newspaper and television reporters around the nation interviewed dozens of people on that list and found many were denied mortgage and college loans, refused credit cards, suffered unexpected disruption of cellphone
service were shut out of job interviews, and had trouble getting apartment leases and, in one case, a person was detained by police for several hours after using a debit card. The death file became a public document in 1980 after business interests filed a Freedom of Information Act lawsuit to obtain the records. The National Technical Information Service, an agency of the Department of Commerce, sells the file to more than 300 clients, Astrue told Durbin. “Government, financial, investigative, credit reporting, medical research and other organizations use the public DMF to verify death and to prevent fraud, including identity fraud,” Astrue said. “To date, we have found no instances of fraud or misuse,” the commissioner said. “However, if we did, we would immediately notify the affected individual and offer SHNS photo courtesy of the Social Security Administration credit monitoring.” Social Security Commissioner Michael Astrue has decided to inform Americans Durbin promised to con- that their confidentiality has been breached only if there’s an indication of fraud. tinue looking into the prob- “To date, we have found no instances of fraud or misuse,” he assured Congress. lem to identify what steps should be taken next. cluded in that story,” Astrue said. “Senator Durbin is encouraged that the Social SecuScripps delivered to Social Security officials on Monday rity Administration has identified this as a problem and is the names and other identifying information of 461 Illinois working on ways to mitigate the impact,” said spokeswom- residents who were falsely listed as dying in 2007 — 40 peran Christina Mulka. cent of false reports the wire service detected that year. The Scripps study found that errors in the file do not Astrue said reliance on the state-run Electronic Death occur evenly throughout the United States. More than a Registration (EDR) system — already in use in 32 states, third of errors detected in 2007 were false death listings of New York City and Washington, D.C., to record informaresidents of Illinois, prompting Durbin to ask for more in- tion used to produce official death certificates — would be formation. “a significant step to ending these errors. “ “Although we are aware of the Scripps Howard News “While we wait for usage of EDR to increase, we have Service report, we are unaware of any increased error rate taken steps to limit errors in manual inputs,” Astrue said. for the state of Illinois and are unable to verify the data inHe did not say what those steps are.
SCRIPPS HOWARD NeWS SeRvICe
Social Security death file foul-ups hit home for agency’s chief
By Thomas hargrove and Waqas Naeem Scripps Howard News Service feb. 2, 2012
Social Security Administration Commissioner Michael Astrue admitted Thursday that he, personally, has experienced “the horrible thing” Americans endure when the federal government falsely declares them dead. “I’ve actually had, in one week, one of my closest relatives and one of my closest friends and neighbors (who both) were declared dead,” though both are very much alive, Astrue told a House Ways and Means subcommittee investigation hearing. “So I was right in the middle of it. It is a horrible thing to go through.” The Social Security Administration each year mistakenly lists about 14,000 living Americans in a little-known but widely used database called the “Death Master File,” created 30 years ago under the Freedom of Information Act as an anti-fraud tool for business. “Anyone of us could find ourselves mistakenly on that list – an inexcusable mistake that exposes our personal information and could cause severe personal and financial hardship,” said. Rep. Sam Johnson, R-Texas, who convened the House investigation into the inaccuracies in the Death Master File. In the first in-depth examination of the unintended consequences of the death file, Scripps Howard News Service last year identified 31,931 Americans who were falsely
listed as dead. These victims of clerical error described an Orwellian nightmare in which they were denied mortgages and student loans, refused credit cards, shut out of job interviews, and suffered denial or cancellation of cellphone service. Scripps also uncovered dozens of cases in 11 states where ID thieves used the Social Security numbers, available in the file, to try to profit from the deaths of children. The thieves filed phony tax returns claiming the dead children as dependents and compounding the true parents’ distress. No living victims were warned they’d been declared dead or that the federal government had publicly released their names, Social Security numbers, dates of birth and other confidential information in the death file. The database is sold to hundreds of groups and posted on the Internet by genealogy groups, although some voluntarily began to limit access after the Scripps stories ran. Parents learn of the theft of their children’s identity theft only when their own tax returns are rejected because someone else already claimed them. The lack of warning does not sit well with Johnson. “Social Security’s policy is not to inform Americans when they are victims of these kinds of errors. Why can’t
you tell the victims and let them take immediate action to protect themselves?” Johnson asked the commissioner. “We are relooking at this now,” Astrue said. He said his agency hires a contractor to monitor the credit of individuals who were falsely put on the death list. “We would notify them if there is any indication that there had been any irregularity in their credit, but we are relooking at this.” Astrue said he hopes the issue will SHNS photo by Danielle Alberti become “irrelevant” Social Security Administration Commissioner Michael Astrue testifies before the House if Johnson’s proposed Committee on Ways and Means. remedy – elimination of the death file as a The death file’s “wide availability has clearly benefitted public record – is enacted by Congress. security firms that use it to deter fraud,” said John Breyault “The only way to make sure that, when we make a of the National Consumers League. “Pension funds, insurmistake, it doesn’t have devastating public consequences is ance organizations and medical researchers use this data for to enact legislation that keeps the Death Master File more completely legitimate reasons.” confidential than it is today,” Astrue said. Breyault called on Congress to restrict access to only Besides Johnson, no one else at Thursday’s hearing en- “organizations that can certify a legitimate need for the indorsed the total elimination of the database, including a formation.” He also called on Social Security to start “notivictim of one of the worst kinds of abuses of the death file. fying living consumers” who’ve been listed in the file. “It is my belief that the federal government is responSocial Security Inspector General Patrick O’Carroll – sible for providing information to identity thieves,” said at- who has criticized the agency’s administration of the datatorney Jonathan Eric Agin of Arlington, Va. base – urged Congress to “limit public access” of the dataHe and his wife, Neely, could not file their federal in- base rather than terminate it entirely. He also suggested that come taxes after the Internal Revenue Service told them the government “limit the amount of information includsomeone else claimed the name and Social Security number ed” in the file and start a “several-month delay” in releasing of their 4-year-old daughter, Alexis, who had died months updates to the file to defeat identity thieves. before of cancer. In the meantime, O’Carroll said, Social Security still “But I am not interested in closing down the Death falsely lists about 1,200 living Americans each month. Master File. I think a balance should be struck,” Agin told “We remain concerned that these errors can lead to premathe hearing. ture benefit termination and cause financial hardship and Consumer and business experts agreed. stress,” he said.
SCRIPPS HOWARD NeWS SeRvICe
Genealogy sites remove Social Security numbers of deceased
By Isaac Wolf and Thomas hargrove Scripps Howard News Service Dec. 14, 2011
The world’s largest commercial genealogy website this week removed the Social Security numbers of recently deceased individuals, two weeks after lawmakers urged the site, Ancestry.com, to stop enabling ID thieves by posting the sensitive information. A spokeswoman for the Provo, Utah, company said that “there was some sensitivity” about the company policy of releasing the numbers. That led to a “purposeful decision” to not post the numbers for those who have died in the last 10 years, spokeswoman Heather Erickson said. An employee with a second website, Genealogybank. com, said that the Naples, Fla., company also has decided to stop posting Social Security numbers. The moves come six weeks after a Scripps Howard News Service investigation showed how people obtain and use the deceased’s Social Security numbers — which are freely released by the government — to commit identity fraud, including submitting false tax returns to collect purloined refunds. Responding to the Scripps articles, Rep. Sam Johnson, R-Texas, introduced legislation to limit the release of the socalled “Death Master File,” while Senate Democrats urged Social Security Administration Commissioner Michael Astrue to stop releasing the information. The lawmakers are continuing to press Social Security to limit the information it releases. The agency has said it cannot act until Congress changes the law, and a spokesman did not return a request for comment for this article. Legislators also reached out to genealogy companies, who re-post the records. On Dec. 1, four Senate Democrats
— Bill Nelson of Florida, Sherrod Brown of Ohio, Richard Blumenthal of Connecticut and Dick Durbin of Illinois — wrote to officials at five major ancestry websites, urging them to remove the records. “Your website — because it lists decedents’ entire Social Security numbers — could be used by identity thieves to perpetrate their crimes,” the four lawmakers wrote in letters to each company chief. “We implore you to consider the unintended consequences of making Social Security numbers available to anyone who accesses your website.” Among the other three websites: — FamilySearch.org, a website run by the Mormon Church, still had the numbers online Wednesday. But church spokesman Eric Hawkins said: “We are looking into how this matter can be resolved.” — Indianapolis-based Vitalrec.com accesses the Death Master File through Ancestry.com, which has limited the public’s access to the records. Vitalrec.com’s operator did not respond to a request for comment. — Robert Christie, spokesman for The New York Times, which owns Genealogy.about.com, said, “This is the first we are seeing this note so we can’t comment.” Nelson, who this year introduced legislation to limit public access to the Death Master File, praised Ancestry. com’s and Genealogybank.com’s decisions as a “good first step.” “I encourage other websites to follow suit,” he told Scripps. “But more must be done, including having the administration end the policy of immediately selling the Social Security numbers of deceased individuals.”
New bill aims to stop ID thieves from profiting off children’s deaths
By Isaac Wolf and Thomas hargrove Scripps Howard News Service Nov. 18, 2011
statisticians to have access to the death file. Under the bill, ID thieves would have a harder time trying to profit off the deaths of children and others under a House bill in- banks and credit bureaus — which currently use the records to deter fraud, the purpose for which the death file troduced Friday to limit access to Social Security numbers originally was created in 1980 — would available online. not be able to use them. In unveiling the “Keeping IDs Safe “We need to stop making it so easy Act of 2011,” Rep. Sam Johnson, R-Texas for criminals to gain access to our personal criticized Social Security’s publicly released information,” said Johnson, who cited sev“Death Master File,” which has been used eral Scripps findings in his floor speech and for at least a decade by thieves to access accompanying press release. He plans to Social Security numbers, file bogus tax rehold a January hearing on the death file, a turns to the Internal Revenue Service and spokeswoman said. collect refunds. The bill introduction comes two days Johnson’s “KIDS Act” would effectiveafter Sens. Dick Durbin, D-Ill., and Bill ly end public access to the death file, which Nelson, D-Fla., met with Social Security now can be searched for a small fee or even Administration Commissioner Michael for free on genealogy and other online sites. Astrue, calling on the agency to limit inforThe files contain the Social Security nummation released in the death file. bers and other personal information that Rep. Sam Johnson, R-Texas At the meeting, Astrue reiterated his can easily be used by identity thieves. position that a new law is needed before The bill’s introduction came two weeks after an ongoing Scripps Howard News Service investiga- Social Security makes any changes to the death file’s availability, Nelson said. Astrue refused to answer questions by tion documented cases across the country where ID thieves reporters following that meeting. have used the Social Security numbers of dead children to Nelson said he plans to solicit legal advice from the Jusfile bogus tax returns claiming the children as their depentice Department, which prosecutes ID theft cases involving dents and routing the refunds to themselves. dead children’s Social Security numbers. Johnson also blamed the administration of the death Nelson introduced legislation in September to create a file for making life miserable for the 14,000 still-living two-year waiting period before the deceased’s Social SecuAmericans a year who are erroneously listed as dead, which can place them in an Orwellian nightmare where it’s dif- rity numbers are freely released, but now says he wants the ficult to get jobs or open bank accounts, the Scripps investi- agency to institute a fix until his measure becomes law. A spokesman for The Compassionate Friends USA, gation found in July. an Oak Brook, Ill., nonprofit that serves grieving parents, “Any one of us could be put on that list by mistake — lauded the bill. “Too many families have been robbed twice a mistake that can result in severe financial hardship and — first by the death of a child and second by the theft of emotional headache,” said Johnson, who chairs the House that child’s identity,” Wayne Loder said. “It’s time that this Ways and Means’ Subcommittee on Social Security. problem is confronted by our legislators.” The legislation, if passed, would allow only law enforcement, tax administrators and government researchers and
SCRIPPS HOWARD NeWS SeRvICe
9/11 victims missing from death list
By Thomas hargrove Scripps Howard News Service may 24, 2011
Why are the nearly 3,000 victims of 9/11 missing from an official federal registry of death? According to the “Death Master File” — the official record of 90 million deceased Americans who were issued Social Security cards since 1937 — there were 6,298 deaths recorded on that awful day in 2001 when terrorists struck the World Trade Center, the Pentagon and a rural area in Pennsylvania. But since an average of 6,200 Americans die every day, there should have been more than 9,000 deaths recorded for Sept. 11, 2001. Conspicuous by their absence in the federal file are many prominent victims of the attacks, including New York City Fire Chief Peter Ganci Jr., Fire Department Chaplain Mychal Judge and businessmen Daniel Lewin, founder of Akamai Technologies, and Thomas Burnett Jr. chief operating officer of Thoratec Corp. “The mystery about 9/11 baffles me,” said Beth Givens, executive director of the San Diego-based Privacy Rights Clearinghouse which has received complaints about the accuracy of the death file. “The only things that come to mind are some of the conspiracy theories that we hear out there — and I don’t want to go there.” Conspiracy theorists, indeed, have noticed and are questioning whether the government has told the truth about what happened that day. A video posted on YouTube, entitled “Where are the 9/11 Victims?,” shows that only 405 people are listed as dying in the state of New York that day. The Social Security Administration, which oversees the Death Master File, does not have a clear explanation. “There are several possible reasons,” said Social Se-
curity spokesman Mark Hinkle. “For example, by law, we cannot make public the death reports we get from certain states. Another possibility is that the death was not reported to us because the person was not receiving benefits or there were no survivors’ benefits to be paid on the deceased’s Social Security record.” The Centers for Disease Control and Prevention also compiles a mortality registry of information obtained from death certificates, which is one of the sources Social Security uses for the Death Master File. The CDC’s registry correctly shows a 3,000-death bump above average for that day in 2001. Rep. Carolyn Maloney, D-N.Y., has begun inquiries into the reporting failure after she was told of the issue by Scripps Howard News Service. She is asking Social Security Administration Commisioner Michael Astrue, and the public health commissioners for New York State and New York City to, jointly, explain how the error occurred. “Would you explain why individuals killed on 9/11 would be missing from the DMF?” Maloney asked in a joint letter to all three commissioners. Consumer experts warn that inaccuracies in the Death Master File are a concern for families who need protection from thieves who could profit by assuming the identity of deceased loved ones. Researchers also use the file in a wide variety of medical and scientific studies that could be skewed by inaccurate counts of deaths. There are many other mysteries in the Death Master File. Disproportionately more people are listed as having died on either the first or 15th of each month than should be. About 3.6 million people died on the 15th
of their month of death, 1.7 million on the first, and an average of less than 1.5 million for all other days. This means that more than 2 million records likely contain the wrong date. “Social Security receives death reports from other federal government agencies. In the past, these reports included the verified month and year of death, but did not include the day of death,” Hinkle said. “In order to process the death SHNS photo by Thomas Hargrove information in our systems, we needed Beth Givens, executive director of the San Diego-based Privacy Rights Clearinghouse, has been aware of problems with the Death Master File for years. “The mystery about 9/11 to fill in a day of baffles me,” she said. death.” crepancies. Hinkle said the “We make it clear that our death records are not 15th of the month sometimes was used “as a default perfect and may be incomplete or, rarely, include day of death” until the precise day of death could be information about individuals who are alive,” he said. obtained. “Because we do not receive reports for all deaths and Due to clerical errors, the Death Master File also cannot release all of the reports we do receive, the contains the names of thousands of Americans who are absence of a particular person (in the Death Master still alive, Hinkle said. File) does not prove the person is alive. Our error rate Scripps was able to identify 31,931 still living is about 0.5 percent.” Americans by analyzing back copies of the death file. Hinkle said the Social Security Administration Forty-one percent of these were listed as having died each week reports “erroneous death data” to the Uniton the 15th. ed States Computer Emergency Readiness Team, part These reporting errors are not evenly distributed of the Department of Homeland Security’s National throughout the nation. A disproportionate number Cyber Security Division. He said the administration were found in Illinois, Louisiana, Massachusetts, also “hired a contractor to review all cases of inadverRhode Island and the District of Columbia. The rate tent exposure of people’s information. The contractor of error was extremely low in rural, lightly populated has found no patterns of organized misuse and no Western states such as Alaska, Utah, Wyoming, North indications of identity theft.” Dakota and Nevada. Hinkle did not give an explanation for these dis-
SCRIPPS HOWARD NeWS SeRvICe
‘Death file’ errors threaten research
By lee BoWmaN Scripps Howard News Service July 11, 2011
Doctors and medical researchers often worry if they can trust the Social Security Administration to accurately tell them when Americans die. Federal death records have long been used to determine if critically ill patients are still alive as they wait for organ transplants. Researchers also need reliable information for health studies that follow people over many years, even a lifetime, after they’ve had a particular medical procedure or been identified as having certain traits. Researchers typically turn to one or both of two databases to determine if someone is dead or alive — the National Death Index, which contains virtually all death certificates filed in the U.S. since 1979, and the Social Security Death Master File, which contains records of nearly
90 million benefit enrollees reported to the government as deceased since 1937. “Knowing when a subject died gives us some finality,” said Dr. Alexander Turchin, a researcher at Harvard Medical School and Partners Healthcare System in Boston. “It’s the one invariable. We can argue whether someone had a heart attack or kidney disease, but you can’t argue whether someone has died.” Except when the Social Security system occasionally mislabels as dead someone who is still alive. “Mistakes are a concern, because death is a relatively rare outcome, so if just a few deaths are erroneous, the conclusions of the study may be in error as well,” Turchin said. Turchin and several colleagues published a study on-
SHNS photo courtesy Library of Congress
Social Security Administration workers, shown at Baltimore headquarters in 1937, produced thousands of employee master cards that allowed the federal government to begin tracking millions of Americans. Officials assured the public that chances of error were “infinitesimal.”
line last November that matched electronic medical records against Social Security death reports for nearly 160,000 patients going back to 2000. Their report, titled “I Am Not Dead Yet: Identification of False-Positive Matches to the Master Death File,” found that more than 24,000 of the patients had at least one medical record element, such as new bills, medicine disbursement, lab reports or vital signs, still being recorded a month or more after the patient supposedly died. Further sifting of the records and other data found there were about 800 patients reported dead through the DMF who were actually alive. “It’s not an enormous number, but the more errors we can take out up front, the better the work will be,” Turchin
said. The DMF is also used by the United Network for Organ Sharing — a private, nonprofit organization that manages the U.S. organ transplant system under a contract with the U.S. Department of Health and Human Services — to determine eligibility of organ transplant candidates. “In order to maintain an efficient organ allocation system, UNOS ... provides a periodic report to transplant centers of their waiting list candidates who match with a record in the Social Security Death Master File,” said UNOS spokesman Joel Newman. He said UNOS is unaware of any case in which an organ transplant candidate was adversely affected by a false death report on the DMF. “We can’t say it has never hap-
SCRIPPS HOWARD NeWS SeRvICe
What to do if you’re listed as dead
What do you do if the Social Security Administration has listed you as dead? Contact your local Social Security office immediately. Do not assume the error will be corrected automatically. Experts warn that the longer the error remains on the “Death Master File,” the greater the risk of having serious problems with credit agencies, banks or one of the many hundreds of institutions that use this record. “How bad can it get? It can get to the point that you become homeless,” warns Jay Foley, executive director of the San Diego-based Identity Theft Resource Center. He said he helped an Arizona woman who was refused an apartment after she was listed on the Death Master File. “We had to get a doctor’s letter confirming that she was alive, believe it or not,” he said. The Social Security Administration will also provide proof-of-life documentation if an error has occurred. pened, but we don’t know of such an instance,” Newman said. Harvard epidemiologist Frank Sesso said researchers recognize “there is really no perfect system for tracking survival or mortality. Both the NDI (National Death Index) and the Death Master File have some gaps.” A decade ago, Sesso and colleagues ran a comparison of death records for a group of male college alumni between the two databases and found that the Social Security file agreed on death status 94.7 percent of the time; and matched the Death Index for subjects being alive 97.5 percent of the time. The research also showed that the Social Security records were less useful in identifying deaths among older women, who were often not included in records because they didn’t work and pay into the Social Se-
You can contact the SSA at 800-772-1213 or find the Social Security office nearest you by going to their website and selecting the option “Find a Social Security office.” The latest copy of the Death Master File is available online. —Thomas Hargrove
curity Trust Fund. Researchers know there are other gaps in the DMF, since not all deaths are recorded by the agency. If, for instance, those who aren’t citizens or are federal workers outside the main retirement system may be excluded. However, the DMF is updated monthly, while it takes the Centers for Disease Control and Prevention, which runs the NDI, about two years to incorporate death certificates in the record. This makes the Social Security files a much more “real time” tool for identifying most deaths, including deaths that may occur among Americans living overseas. That’s something the NDI does not capture since it is based on state vital records. On the other hand, the NDI offers much more detail, including a cause and manner of death for most subjects.
Social Security cuts info in online Death Master File used by banks, ID thieves
By Thomas hargrove and Isaac Wolf Scripps Howard News Service Dec. 7, 2011
The Social Security Administration has significantly cut the amount of information it reports to the muchcriticized “Death Master File,” a federal database used by credit bureaus and U.S. businesses to stop fraud but also by identity thieves. Florida businessman Ronald Perholtz, who won the court-ordered release of the death data 31 years ago, is complaining that federal officials have “willfully committed multiple violations of the consent judgment” he obtained in federal court. “This is preposterous,” said Perholtz, 63, from his home in Jupiter, Fla. “These data provide a significant benefit for anti-fraud efforts. When people cheat, we need to know about it — not just the government, but the private sector and the general public as well.” The dispute is the latest controversy featuring the Death Master File, which has drawn attention from several prominent members of Congress. An investigation by Scripps Howard News Service found that thousands of living Americans are inadvertently listed in the death file each year, causing serious damage to their credit. Identity thieves also are using the file to obtain Social Security numbers of recently deceased people, including children, to commit income tax fraud. Social Security officials last month began curtailing the amount of information they release to the file because “we can no longer disclose protected state records.” Many state governments, under contracts with
Social Security, do not consent to public release of the names of dead citizens. That means the agency will not report 1 million of the 2.8 million deaths it expects next year, a reduction of about 36 percent. The agency also wants to remove 4.2 million names previously reported. “If Social Security wants to hide their head in the sand on this, they are not only hurting themselves, but others as well,” Perholtz said. “They never gave us advance notice of any of this, they just cut the file size.” Perholtz has sent a letter to Social Security Administration Commissioner Michael Astrue asking that his agency “cease and desist” withholding any death records. He said the government also stopped reporting the ZIP codes of the last known residence of deceased people, useful information for researchers. Rep. Sam Johnson, R-Texas, who chairs the House Ways and Means’ Subcommittee on Social Security, last month introduced legislation to stop release of the entire Death Master File, since it has been used by thieves to steal the identity of recently deceased children. He called the measure “Keeping IDs Safe Act of 2011,” or the KIDS Act. “Any one of us could be put on that list by mistake — a mistake that can result in severe financial hardship and emotional headache,” Johnson said. Other members of Congress have said the method of listing deaths must be reformed — not eliminated — since it is an important tool to reduce fraud.
SCRIPPS HOWARD NeWS SeRvICe
Docs withhold records from victims of medical ID theft
By Isaac Wolf Scripps Howard News Service march 20, 2011
One patient nearly received a transfusion of the wrong kind of blood — a life-threatening mix-up. The cause? A bogus medical file that had been created by an identity thief. The criminal used the victim’s name to obtain medical care. The criminal’s blood type was recorded in the victim’s medical records, leading to the almostfatal mistake. “It was a close call,” said Larry Ponemon, a nationally recognized authority on identity fraud. Researching medical identity theft, Ponemon found that case and another instance where medical identity theft had placed a victim’s health in jeopardy. The second patient nearly got an inappropriate and unneeded procedure. Ponemon, chairman of the Traverse City, Mich.-based Ponemon Institute, a think tank, declined to provide the
individuals’ names, nor the name or location of the health care system with the bad records, for privacy reasons. “Those could have been deadly,” Ponemon said of the incidents. Affecting an estimated 1.5 million Americans overall, according to estimates from Ponemon, medical identity theft poses a threat beyond the headaches associated with fixing financial fraud: The crime alters your medical records and can compromise your care. Unlike financial ID theft — which can be flagged through credit bureaus — there is no central source for checking your medical records, according to the Federal Trade Commission, the federal consumer watchdog agency. Medical providers say that federal law hamstrings ID theft victims from seeing files created in their name: That’s
SHNS photo by Mark T. Osler
For nearly five years, Joanna Saenz, of Denver, has tried to see the medical file created by an impostor at a Nebraska hospital. Saenz first learned of the medical ID theft when a credit check revealed that the Fremont Area Medical Center in Fremont, Neb., had billed her for a broken arm. At the time, she had never been to Fremont.
because medical records created about all patients — including identity thieves who use your name - are covered by privacy rules in the Health Insurance Portability and Accountability Act (HIPAA), according to Lawrence Hughes, assistant general counsel for the American Hospital Association. “You must protect all persons’ information — whether it is a real patient or a patient that has committed a case of identity theft,” Hughes said. For America’s victims of medical ID theft, there is no system to identify and correct the damage left by an impostor. In fact, a Scripps Howard News Service investigation finds: — Medical providers are refusing to give ID theft victims access to records, invoking the privacy rights of the
thieves, according to victims, experts and hospital officials. The only way for this to change is for federal authorities to create explicit rules to help medical ID theft victims, some say. — Even when hospitals are alerted about erroneous medical files, they have no systematic way to fix the records, experts say. — The move toward networked electronic medical records — spurred by $19 billion from the 2009 economic recovery act — may amplify the threat that incorrect records spread “quickly and broadly,” according to a governmentcommissioned report. For nearly five years, Joanna Saenz, of Denver, has tried to see the medical file created by an impostor at a Nebraska hospital. Saenz first learned of the medical care when a
SCRIPPS HOWARD NeWS SeRvICe
credit check revealed that the hospital, the Fremont Area Medical Center in Fremont, Neb., had billed her for a broken arm. The suspected culprit was a woman who had used Saenz’s identity for years, obtaining credit cards, a driver’s license and other accounts in her name, Saenz said. While living out this elaborate lie, the thief needed medical attention for a broken arm and, later, a pregnancy, Saenz said. Saenz said she refuses to pay the impostor’s bills. The hospital has no record of anyone trying to access Saenz’s file, according to a spokeswoman there. “I am still trying to convince them to give me the records,” said Saenz, 27. Saenz said she is staying away from the area — about 30 miles from Omaha — on fear that if she needs medical attention there, her records might be wrong. There are many ways criminals engage in medical ID theft. Common schemes include organized rings that defraud insurance companies and Medicare. One such ring, busted last October, stands accused of submitting false patient claims on thousands of Medicare beneficiaries to steal more than $163 million, according to the U.S. Department of Justice. The New York-based enterprise made money by using the identities of doctors and patients to submit false claims, according to an indictment. Methamphetamine abusers also steal identities to access prescription drugs or insurance payouts, according to the Justice department. Thieves can gather medical information from a variety of places, including breaches from health care companies. Just this week California state authorities reported that Health Net Inc., an insurance company based in Woodland Hills, Calif., had lost personal information on 1.9 million current and past enrollees around the nation in January, and only now is making the breach public. The risk of inaccurate medical records is mushrooming. As the medical industry replaces paper files with linked, electronic databases, the potential harm from inaccurate patient information will cascade, ID theft experts and data security analysts warn. That’s because in the electronic world, incorrect medical records will have an ever-greater chance of making their way to the doctors seeing the identity victims. “You have someone else’s medical history entangled in your medical records,” said Linda Foley, founder of the Identity Theft Resource Center in San Diego. Unaddressed medical identity theft can also take a financial toll. It can drag down a credit score and victims may have a harder time getting private insurance, experts said. Federal authorities have been alerted. Months before the February 2009 Recovery Act set aside $19 billion for electronic health records, a report commissioned by the U.S. Department of Health and Human Services warned that the move to computerized medical files could spread false records “quickly and broadly.” Electronic record systems could move inaccurate files “across countless systems,” making it more difficult for victims to remove mistakes, consultancy Booz Allen Hamilton wrote in an Oct. 15, 2008 report. But even when ID theft victims determine which hospitals have the doctored records, they frequently cannot view the files, experts and ID theft victims said. When an identity theft victim asks to see records created by thieves, hospitals frequently deny them, citing HIPAA. The law safeguards medical patient privacy — and hospitals have interpreted this to include ID thieves. “There’s a very significant Catch-22 that has not been resolved here,” said Pam Dixon, executive director of the World Privacy Forum, a San Diego-area nonprofit that works with identity theft victims. Both the U.S. Federal Trade Commission and Health and Human Services said that hospitals should give you access to the file created in your name. But those agencies acknowledge that medical providers sometimes deny ID theft victims access to the records. Rick Kam, whose company helps hospitals respond to data breaches, said he knows why hospitals are not providing access to the records: They fear legal liability under HIPAA, said Kam, president of Portland, Ore.-based ID Experts. What’s necessary is a new law creating a medical ID theft victim’s bill of rights, spelling out how a victim can access and correct the file and providing immunity for hospitals that do release the information, Kam said. Even when hospitals grant access to the tainted records, they are not necessarily doing a good job fixing them, Ponemon said. His research has found that medical institutions have no consistent system for correcting the mistakes. “There is not a set of standard procedures that we observed,” he said. “You are relying on the judgment of individuals, and that is not a good thing.”
Tax-refund ID thieves face crackdown
By Isaac Wolf Scripps Howard News Service may 25, 2011
Congress wants to crack down on identity thieves who steal other people’s tax refunds by submitting false returns to the Internal Revenue Service. As reports of tax-related identity theft skyrocket, Sen. Bill Nelson, D-Fla., called on the IRS Wednesday to tighten safeguards against the crime and better assist victims who must wait months — sometimes years — to get their rightful refunds after the scam is detected. At a hearing Wednesday of the Senate Finance Subcommittee on Fiscal Responsibility, which he heads, Nelson said he wants to thwart the surge in the crime. In 2010, the IRS identified 248,357 stolen tax refund ID theft cases — more than in the previous two years combined (220,789), according to the U.S. Government Accountability Office, the investigative arm of Congress. The widespread use of Social Security numbers has made it easy for crooks to submit false tax returns and steal the refunds, Nelson said. “The keys to the tax system have been copied many times over,” he said. “It should come as no surprise, then, when our tax system is bombarded with sham tax returns.” A Scripps Howard News Service investigation reported that complaints to federal authorities of those ID crimes more than tripled from 2005 to 2009. The spike comes as other forms of ID theft have been declining, thanks in large part to vigilance by credit card companies. The IRS says it is tackling the growing volume of fake returns, and, as of May 12, had detected 145,537 bogus 2010 returns out of nearly 200,000 it had redflagged for inquiry. But victims say their problems are compounded by how the IRS handles the cases. They say dealing with the IRS is confusing, and that the agency provides little help in untangling them from the mess and getting them their rightful refunds. The IRS continues “to treat me as if I am the one
to blame,” said Sharon Hawa, of Bronx, N.Y., who has lost her refund to a crook twice. After Hawa learned in early 2009 that her tax return had been rejected — someone had already filed a 2008 return in her name — it took the IRS 16 months to issue Hawa’s rightful $6,604 federal refund. This year, Hawa lost her 2010 federal and state refunds totaling $6,335 to ID thieves. “Unfortunately, the IRS seemed more disorganized this year than the first year it happened to me,” she said. Hawa is still waiting for her 2010 federal refund. Each time she contacts the IRS, she must deal with someone new. “It’s just the same conversation over and over again,” Hawa said. The IRS contends it is vigilant, and detects — and prevents — more fraud than not. Beth Tucker, IRS deputy commissioner, said at the hearing that the IRS has kept $929 million in tax refunds from going to ID thieves since 2009. Even so, she said the IRS estimates it pays out $15 million each year into the hands of ID thieves. But National Taxpayer Advocate Nina Olson — head of the independent IRS consumer watchdog office — cast doubt on the IRS figures, saying that there are no accurate estimates for how much the crime costs taxpayers. “They don’t believe their own numbers,” she said after the hearing. Olson’s office, which helps the public deal with the IRS, has received 60 percent more ID theft cases this year than in the same period in 2010. One way the IRS might prevent ID theft is by giving secret PIN numbers to defrauded taxpayers, Tucker said. ID theft victims would receive the secret number to include with their tax return as a way to thwart the crooks, who likely would lack the PIN code. Another way is to screen more returns, hunting for factors that may red-flag ID theft. Tucker said the screening program is improving dramatically.
SCRIPPS HOWARD NeWS SeRvICe
Social Security ‘Death File’ designed to fight fraud but now aids it
By Thomas hargrove and Isaac Wolf Scripps Howard News Service Nov. 14, 2011
The fraud-fighting Jupiter, Fla. businessman who 31 years ago won court-ordered release of an important federal database to stop thieves now worries it is widely misused by crooks and blundering bureaucrats. Ronald Perholtz is especially unhappy that the federal government hasn’t fixed the problem of tens of thousands of living people who’ve been listed in the Social Security Administration’s “Death Master File,” putting them in an Orwellian nightmare where they can’t get jobs, open checking accounts, buy cellphones, obtain credit cards or get mortgages and college loans. Perholtz, 63, said he was rebuffed when he brought the problem to the attention of federal authorities nearly three decades ago. “We met with Social Security people and the Inspector General’s staff in the early 1980s. We gave them a thick printout of people who weren’t dead. They didn’t act on it,” Perholtz said. “They wouldn’t deal with us. I thought they had more of a social responsibility.” The file also is being misused by crooks who file for tax refunds using the names and Social Security numbers of recently deceased Americans, including children, according to Internal Revenue Service officials. Perholtz wants to make changes. He originally sought release of the Death Master File as a tool for pension companies, for whom he worked, to identify the theft of benefits paid to people who have died. When Social Security provided the file under a courtsanctioned agreement, Perholtz and his staff quickly found many cases of pension fraud throughout the industry. In a recent interview, Perholtz said he’s willing to renegotiate that settlement to keep the death file from being so widely distributed that it’s become a tool for thieves. “We should control this death information only for use in protecting companies from fraud,” Perholtz told Scripps Howard News Service. “We ought to contain this. I would keep this information more centralized.”
But Social Security Administration spokesman Mark Hinkle said the agency cannot make changes. “We are required to provide such information under the Freedom of Information Act (FOIA),” Hinkle said in response to Perholtz’ offer. “Revisiting the court order would not change what we must disclose under FOIA.” Social Security Administration Commissioner Michael Astrue has taken the same position with congressional leaders. Astrue said his agency is required to publicly release the full names, Social Security numbers and birth dates for everyone whom the agency believes has died. “In order for us to limit the information that we make publicly available, Congress would need to amend the FOIA,” Astrue said in a letter to Sen. Dick Durbin of Illinois, the No. 2 Democrat in the Senate. Rep. Jim Moran, D-Va., said that Social Security is “hiding behind” the 1980 court ruling “as an excuse.” Moran has received complaints from grieving parents who can’t get their income tax refunds because identity thieves have used the death file to claim recently deceased children as dependents. The Social Security Administration “can fix that,” Moran said. “They can go back to court and ask to reconsider the consent order based upon the abuse.” Nina Olson, the official taxpayer advocate at the IRS, said the unrestricted release of personal information “aids and abets identity theft and tax fraud and is, frankly, appalling.” She said about 350,000 apparently fraudulent tax filings this year used the personal information of recently deceased Americans in an attempt to obtain $1.25 billion in refunds. “If the Social Security Administration feels it must ask the court that entered a consent judgment in a 1980 FOIA case to modify the judgment, it should do so,” Olson said. Perholtz said much of the problem stems from a failure of Social Security officials to seek cooperation with other
agencies and with state governments to obtain an accurate accounting of the 2.7 million Americans who die each year. “There needs to be a cooperative effort so everyone has the latest and correct information and that errors are ferreted out,” Perholtz said. “Like I was pointing out to Social Security years ago, but no one seems to be interested.” The Death Master File has become a widely distributed database easily accessed on the Internet. The Social Security Inspector General’s Office issued a scathing report four years ago, asking the agency to consider reducing the number of people given access to the file or, at least, to release only part of deceased Americans’ Social Security numbers. “All of the people that we disburse the death file to are just creating chaos,” Perholtz said.
Medical ID theft victims need way to fix records, lawmaker says
A Catch-22 that keeps victims of medical identity Ponemon Institute think tank. The crime can take theft from seeing and fixing false — and potentially many forms, including fraudulent billing schemes, harmful — health records created in their names needs drug abusers who steal identities to access prescriptions to be fixed, the top Democrat on a House health suband cash payouts, or simply individuals who need care committee said March 22, 2011. but do not want to pay. Rep. Frank Pallone, N.J., ranking member of the Pallone’s office is researching the issue by working House Energy and Commerce Comwith hospitals in New Jersey and the mittee’s health subcommittee, said American Hospital Association. New Tuesday he is working to alter a federal Jersey hospitals contacted by Pallone’s law that hospitals have used to keep office said they are concerned about medical identity theft victims from acmedical identity theft and aware of the cessing and correcting inaccurate files access issues raised by the federal medileft by impostors. cal privacy rules. Hospital industry officials say His office will also contact the U.S. federal privacy rules prevent them from Department of Health and Human Serallowing ID theft victims to obtain the vices, which oversees medical privacy records left by fraudsters. rules laid out in the Health Insurance Pallone said he wants to make the Portability and Accountability Act. change either by clarifying federal rules The federal agency says hospitals or by passing a new law. should allow ID theft victims to see and “We need to have some regulatory correct records. However, the agency change or legislation … that would give Rep. Frank Pallone, D-N.J. acknowledges that medical providers hospitals direction so patients could see refuse requests because of their strict the file and correct it,” Pallone said. interpretation of HIPAA. The lawmaker’s comments come in response to a But even when hospitals do grant victims access Scripps Howard News Service investigation published to the records, there is no standard for fixing the files, March 16, which found that victims of medical idenPonemon and others told Scripps Howard. tity theft have no recourse for identifying and correctPallone said he wants to fix this. ing the damage left by ID thieves. “There is a problem, and, many times, patients are Overall, medical identity theft affects 1.5 milnot able to see the file,” Pallone said. “If they do see it, lion Americans, according to an estimate by Larry they want to be able to correct it.” Ponemon, chairman of the Traverse City, Mich.-based —Isaac Wolf
SCRIPPS HOWARD NeWS SeRvICe
Tax refunds newest target in ID thefts
By Isaac Wolf Scripps Howard News Service feb. 28, 2011
While waiting for your income tax refund this spring, beware that someone else may already have claimed it. In one of the fastest growing forms of identity theft, crooks are using a stranger’s Social Security number and other personal information to fool the Internal Revenue Service into diverting the person’s rightful refund to the bad guys’ pockets, according to a Scripps Howard News Service investigation. The volume of tax- or wage-related identity theft complaints to the U.S. Federal Trade Commission more than tripled from 2005 to 2009, according to a Scripps analysis of more than 1.4 million ID theft records in the agency’s Consumer Sentinel database. That comes despite a decline in the overall number of identity theft complaints to the federal watchdog agency, which collects information for law enforcement authorities around the nation. Whether this is because the incidence of the crime is decreasing, or because victims are too frustrated, confused or embar-
rassed to contact the FTC, is unclear. Striking an estimated 10 million Americans a year, ID theft has received volumes of attention in the last decade. When the spotlight is shined on a particular ID crime method, the number of related complaints typically drops. For instance, over the years, financial institutions intensified efforts to identify and resolve cases where credit cards are stolen and used to run up fraudulent bills. In turn, the FTC data shows an overall drop in credit-card related identity theft complaints. But they haven’t disappeared, as Naples, Fla. resident Gilbert Sherburne knows too well. In November, his credit card company, Bank of America, contacted him when someone tried to purchase a $984 airline ticket with the 82-year-old man’s card number. Meanwhile, other types of ID theft, including purloined tax refunds and using a lifted identity to open new utility accounts, are growing. The Scripps review of the data, which was ob-
SHNS photo by David Albers / Naples Daily News
Naples, Fla. resident Gilbert Sherburne, 82, didn’t realize he was facing identity theft until Bank of America called to verify the purchase of a plane ticket worth more than $900 on his credit card. After Bank of America replaced his original credit card, the U.S. Coast Guard veteran learned that someone then requested a copy of the replacement card over the phone.
SCRIPPS HOWARD NeWS SeRvICe
tained by a Freedom of Information Act request, shows: — ID theft complaints to the FTC declined 20.2 percent from 2008 to 2010. Agency officials say they cannot explain the decrease. Despite the drop in overall complaints, however, there is evidence that ID theft is not actually slowing down. A 5,000-person nationwide phone survey by Javelin Strategy and Research, a private firm based in Pleasanton, Calif., found that the crime jumped 12 percent in 2009. — According to the FTC, complaints of a thief using a victim’s credit card dropped nearly 32 percent from 2005 to 2009, the last year for which there was full data. Some experts attribute this to the financial industry’s success at thwarting fraud cases, while also providing full reimbursements to consumers. — Even so, the most common method of ID theft remains opening new credit card accounts using another person’s name (13.2 percent of complaints). The other most prevalent forms include using someone else’s Social Security number and other personal information to get a job (11.1 percent), and stealing another’s tax refunds or salary (8.9 percent). — The largest volume of complaints came from residents of California (230,269), followed by Texas (144,272) and Florida (105,241). Steven Toporoff, an attorney in the FTC’s division of privacy and identity protection, said the growing number of plundered tax returns is of increasing interest to the agency. The FTC is working with the IRS and other authorities to warn the public about the threat and provide suggestions for ways taxpayers can protect themselves. According to the FTC data, 11,010 victims reported tax- or wage-related identity theft in 2005. Four years later, that number rose to 33,774 victims. Toporoff noted that the complaints are reported by the public and are not vetted for accuracy. For victims, the process of recovering from any type of ID crime can be arduous. “It was a nightmare,” said Jeff Smith, 43, who works at Vintage Security, an alarm system company, in the Baltimore suburb of Jessup, Md. Smith had a $6,000 tax refund that was swiped by a thief. Smith eventually received his tax refund, after eight months of corresponding with the IRS and investigating the case on his own. After learning that the thief cashed his tax refund at a bank in Marietta, Ga., Smith worked with police there to track down the culprit. Police determined that the thief was part of a ring, but by the time authorities conducted a raid, the suspects had fled. Smith found out his identity had been stolen in the spring of 2007, when he was asked to pay taxes on jobs flipping burgers at a Wendy’s restaurant and a car wash in Marietta. Smith later found out his name had been used to rent an apartment, take out utilities and to pay for stitches at a hospital in New York. Just how a thief lifted Smith’s tax return is not known. But a common scheme involves falsely advertising a free tax preparation service. In one case, a crime ring from Belarus duped American taxpayers in 2006 and 2007 with a bogus tax filing service they claimed was backed by the IRS, according to the U.S. Department of Justice. Through this scheme, the criminals captured taxpayer information, then doctored it to claim larger tax returns. Finally, they submitted the phony tax returns to the IRS, and directed the cash to be sent to themselves. Another emerging — and increasing — criminal enterprise: Thieves using a stranger’s identity to start electric or gas service at the bad guys’ address. In 2005, the agency recorded 8,427 complaints for utility identity theft. By 2009, that number more than doubled to 19,934. The FTC records also reveal national hotspots for identity theft. Brownsville, Texas — along the U.S.Mexico border — contains the ZIP code with the highest volume of identity theft complaints. Police there declined to comment, but experts in Texas attribute the high volume to illegal immigrant and drug smuggling activity in the region. Another identity theft flashpoint is Brooklyn, N.Y. Six of the top 10 ZIP codes where victims suspect their assailants are based are located in that New York City borough. New York City police spokesman Sgt. Carlos Nieves said the department does not track identity theft by ZIP code, and it has no idea if Brooklyn is a hotbed for the crime.
Editorial: Congress should require notification of security breaches
By Dale mcfeaTTers Scripps Howard News Service oct. 24, 2011
There’s an expression in Washington about politicians and agencies that find themselves in hot water: It’s not the crime, it’s the cover-up. In the case of the Social Security Administration’s massive breach of confidentiality, it wasn’t a crime, but incompetence, and not so much a cover-up as total inaction by the agency. SSA failed to inform tens of thousands of Americans that over the past 30 years their names, addresses, birth dates and Social Security numbers had inadvertently been released to a publicly available database widely used by business. The agency’s failure to inform the at-risk parties ignored government guidelines and recommendations for dealing with security breaches and violates the intent, if not the letter, of the U.S. Privacy Act. The database is called the Death Master File and contains the records of 90 million dead Americans; it was begun in large part at the urging of business. Administered properly, the death file is a useful tool in preventing con artists from assuming the identities of deceased Americans. The problem is that each year the names and other personal information of 14,000 living Americans are mistakenly entered in the file. Since the SSA declines to issue warnings, the first inkling many Americans have of the release of their private information is when they become victims of identity theft. An earlier examination by Scripps Howard News Service found that 31,931 names of living Americans
had become public. A later, more intensive examination with the aid of the television stations and other newspapers of the parent E.W. Scripps Co. found that the problem was significantly broader, but still unaddressed by the Social Security Administration. Most citizens contacted for this story only found out about the breach when they were suddenly confronted by frozen bank accounts, canceled cellphone service, denied apartment leases, turned down for credit cards or refused mortgages and student loans. The businesses, landlords and prospective employers were acting on the not-unfounded belief that since the master file showed the applicants were dead they were being set up for some kind of identity-fraud scam. It took one victim nearly 10 years to untangle the mess and, she complained, “No one ever sent me an apology or anything.” Being the SSA means never having to say you’re sorry — or much of anything else. SSA has refused repeated requests by us to explain its policy of keeping silent about the breaches or its policy of notifying — or not — the potential victims, which prevents people from taking action to protect themselves from the lapses. Forty-six states make disclosure of confidentiality breaches mandatory for state and local agencies. The White House Office of Management and Budget has urged a federal policy of public admission and individual notification. Clearly, Congress should make that policy mandatory, too.
SCRIPPS HOWARD NeWS SeRvICe
Knoxville News Sentinel Knoxville, Tenn.
Making news across America
Evansville Courier & Press Evansville, Ind. Ventura County Star Ventura, Calif.
San Angelo Standard-Times San Angelo, Texas
The Seattle Times
Abilene Reporter-News Abilene, Texas
Naples (Fla.) Daily News
WPTV West Palm Beach
The Commercial Appeal Memphis, Tenn. WXYZ Detroit
The Stuart News Stuart, Fla. The Gleaner Henderson, Ky. Redding Record Searchlight Redding, Calif. Corpus Christi Caller-Times Corpus Christi, Texas
SCRIPPS HOWARD NeWS SeRvICe
Editorial: Feds must stop scam of stealing from dead children
By Dale mcfeaTTers Scripps Howard News Service Nov. 11, 2011
In a ghoulish new identity theft scam, thieves are cashing in on dead children by stealing their Social Security numbers to fraudulently collect federal tax refunds. And, as Scripps Howard News Service reporters Isaac Wolf and Thomas Hargrove learned, the heartless crooks are getting help from an unexpected source, the Social Security Administration itself, in a macabre twist that has caused no end of anguish for grieving families. It’s part of a broader form of identity theft. In figures provided to Scripps Howard, the Internal Revenue Service estimates that dishonest tax filers this past tax season alone submitted returns on 350,000 dead Americans, falsely claiming up to $1.25 billion in refunds. The root of the problem is the SSA’s Death Master File, which lists information, by law publicly available and easily accessible, on everyone who dies in the United States, including their birthdates and Social Security numbers. Ironically, it was created at the request of businesses to prevent the misuse of personal information, for credit cards, loans and the like. But that was in 1980, before the Internet and superfast search engines could prowl the massive database. The file contains 90 million names but con artists have begun to focus on the newest additions to the list, particularly children. Last year, the Pilcher family of Potomac, Md., lost their infant daughter, Ava, to lung disease. As if that weren’t pain enough, the IRS rejected their 2010 income tax filing because someone else had already claimed Ava as a dependent.
“All we really have is her memory and her name,” says dad Matt Pilcher. “For someone to try to take that, to steal that, to appropriate that for themselves — it’s beyond reprehensible.” But identify crooks need only file before the family does. And by the time the IRS learns of the theft, the money is gone. The IRS can resolve the claims, a process that takes six to eight weeks. But the thieves are protected from angry families — because federal privacy laws ban the IRS from disclosing the fraudulent claimants’ names. The problem of Social Security identity theft probably cannot be eliminated but it can be substantially reduced. Why it hasn’t is a maddening example of government inertia. The SSA could ask federal courts to modify the 1980 order granting the public complete access to the Death File. It could ask Congress to write a new set of identity protections, particularly for dead children. Simpler yet, it could implement the recommendations of a scathing 2008 audit by its own Inspector General’s office. Such simple steps include waiting a year before posting the deceased’s complete personal information and redacting Social Security numbers from the information provided to private genealogical databases. But the Mormons, who administer the giant family database, FamilySearch.org, say the federal government prohibits them, and others, from doing so. The IG also urged that living Americans be notified when their personal information is inadvertently released, as happens about 14,000 times a year. In addition to combating a particularly pernicious fraud, it would spare families needless additional pain over the loss of a child.