Report: Medicare and Social Security Accounts Vulnerable to Data Breach

Medicare and Social Security cards held up by gloved hand; agencies vulnerable to data breach

The Government Accountability Office (GAO) released a report last month indicating four major government agencies are leaving Americans personal, medical, and financial information vulnerable to a data breach. This is due to the way the agencies verify the user’s identity at the login page with a process known as knowledge-based authentication. 

The report

The report was written and released last month by Senator Elizabeth Warren (D-MA), member of the Senate Banking Committee and 2020 presidential candidate; Representative Elijah Cummings (D-MD), chairman of the House Committee on Oversight and Reform; and Senator Ron Wyden (D-OR). 

The report identified the following government agencies were using knowledge-based authentication on their websites:

  • The Centers for Medicare and Medicaid Services (CMS)
  • The Social Security Administration (SSA)
  • The United States Postal Service (USPS)
  • The Department of Veterans Affairs (VA)

The Internal Revenue Service (IRS) and General Services Administration (GSA) previously used knowledge-based authentication on their websites, but the agencies recently improved their security measures to protect sensitive information of American citizens.

What is knowledge-based authentication?

Knowledge-based verification is common. What was the model of your first car? In which city were you born? What’s your mother’s maiden name? But these members of Congress are arguing that the answers to these questions could easily be stolen, and don’t do enough to protect personal, medical, and financial information of the American people. 

2017 Equifax data breach 

In 2017, the credit reporting agency Equifax experienced a data breach which put the financial information and identities of 145 million American at risk. This breach caused the National Institute of Standards and Technology (NIST) to create new authentication policies to protect sensitive information. 

However, the four agencies listed in the report have yet to abide by these policies despite repeated inquiries from Warren, Cummings, and Wyden. The Congress members have written to the heads of the agencies multiple times in the past two years to ask why they were still using knowledge-based authentication, and how and when they planned to improve their identity verification measures as laid out by the NIST. 

Warren said in a Facebook post on June 14, “This is a nightmare: 2 years after the massive Equifax data breach, 4 government agencies are still using an outdated process that relies on credit reporting agency data to verify people’s ID. They’re putting Americans at even greater risk for fraud.”

Warren has put forth a bill along with Representatives Cummings, Raja Krishnamoorthi, and Senator Mark Warner to impose “massive, mandatory fines” on companies who leave American vulnerable to identity theft. 

How you can protect yourself

  • Don’t write your passwords or answers to your security questions down. 
  • Change your passwords every few months, like when the seasons change. 
  • Don’t use personal information in your passwords. 
  • Use different passwords on different government agency websites. 
  • Don’t log into your account from public devices or on public wifi. 
  • Avoid using real words by using the first letter of each word in a phrase you commonly use. 

Remember: Medicare and Social Security scams are very common. These agencies will never contact you over the phone. If you receive a call from someone claiming to represent these agencies, do not give them any personal information or passwords, hang up immediately, and report them to the FCC

Up Next...

blog image

Medicare World Blog

CA Residents: Privacy Notice for California Residents |