On the surface this discussion may not seem to be about workers’ compensation. But I assure you, it is. While the topic is identity theft; specifically, the recent theft of my identity, it is an opportunity to look at how our industry may be helping this booming criminal trend.
While at work last Thursday I received a call from my wife, telling me that Citibank had left a message regarding my credit line at Staples, the office supply retailer. She also mentioned they left a reference number concerning my credit application. This was, to say the least, a bit of a surprise for me, as I do not have a Staples credit account, and certainly did not apply for one. When I called the bank, I found that someone had indeed opened an account using my name. And my address. And phone number. And birthdate.
And my Social Security number.
Well, roll me in pig manure and call me stinky; it appears I’ve been a victim of identity theft. While much of my information used is probably readily available in the public domain, it was the presence of my social security number in this effort that really indicated alarm.
I am not certain exactly what prompted Citibank to contact me, but they did mention that the person who completed the application did not spell my first name correctly. It seems that there is no “v” in Robert. The people at the bank were very helpful. They quashed the account before any purchases were made, and will be sending me forms I will have to complete to verify the fraudulent activity. I also immediately placed a fraud alert with Equifax, from whom I purchase a credit monitoring service. They are supposed to share that alert with the other two credit bureaus, Trans Union and Experian.
The following morning, Friday, things became decidedly more urgent. I received an email from Equifax informing me of two changes on my credit report. There had been a hard inquiry (the type used in a request for credit), and a new account had been opened in my name. The inquiry had been generated by a request for credit at Office Depot. The new account, which had been opened several days prior, was for a retailer called Guitar Center. I spent most of the morning on the phone with my own bank, as well as several other banks and credit bureaus, and learned that applications had also been submitted to furniture retailer Rooms To Go.
In many ways, I am extremely fortunate. It appears, thanks to the vigilance of the folks at Citibank, that we caught this early in the process. The Staples, Office Depot and Rooms To Go applications, which were not immediately approved have been blocked before any purchases could be made (I was unable to get full specifics, but a couple apps used the wrong birthdate and phone number, which might have held them up for further review). Those “hard” inquiries will be scrubbed from my credit history. The Guitar Center account, however, will be more problematic. It has a credit line of several thousand dollars and has already been used. While the account has been closed and placed into a fraud investigation, it is unclear as to how long it will be reflected on my credit record. I’ve been told that I will likely receive a statement and bill, but should ignore it.
In the coming days, we will see if more damage has been done. In the meantime, I have upgraded my credit monitoring with Equifax to an ID Protection Program that has locked my credit report. I will have to sign numerous reports and affidavits regarding these credit acquisition attempts. I’ve contacted all three bureaus to insure a fraud alert/victim statement is in place in their records. Those are only good for a 90-day period, but after I file a criminal complaint with my local Sheriff or State Attorney General, I will be able to place an extended alert that will last for 7 years with all three reporting agencies. These alerts will require extra validation and my direct approval prior to any new credit being opened in my name.
It is unclear how my information, especially my social security number, came to be in the hands of nefarious morons who thankfully have little acumen for accurate data input. One of the numerous people I spoke with last week asked me if I had recently lost a wallet, or experienced a break in at my office or residence. The answer to all three was “no”. I do not use public Wi-Fi networks while traveling, preferring to use the more secure hotspot from my cellular provider. If I must use a public Wi-Fi network, I use a secure VPN, and never access financial sites in that scenario. As a person fairly comfortable with internet technology, I never respond to (phishing) emails asking me to provide my personal information.
While there is no way for me to tell, I cannot remove from my mind suspicion of the various entities who have “required” my social security number over the years. First and foremost among these are doctor offices and medical facilities. I stopped providing my social security number to medical providers a couple years ago, as there is not a single valid reason they should have it. Yet, the box on the new patient form still beckons for that needless information. Notwithstanding, doctors whom I have been seeing for years do have that info on file.
This is important, as it has been determined medical offices are a prime source for identity thieves. In fact, some estimates are almost half of all identity theft now is happening at medical providers. The reality is that a file containing personal information can easily be stolen by a dishonest worker in any organization that possesses it, and sold to people who specialize in reselling this data.
I will likely never know who stole my information, or who is using it. However, I do know that the requirement of social security numbers of injured workers on many, many state forms is a liability that exposes our industry as well.
My company manages a massive library of jurisdictional workers’ compensation forms. In fact, we routinely maintain over 3,600 of them on file for 53 WC jurisdictions. Many of those forms mandate that the injured worker’s social security number be included with their use. Almost 1,100 of our forms contain special programming for a forms auto-population service we provide. Of those programmed forms, I can tell you that 505, or 46%, have a field designated for an injured worker’s social security number. There are no doubt many more in the broader collection, but without a form by form review it is impossible to know how many.
These forms are filed with carriers, TPA’s, state divisions, medical providers, law offices, supporting service vendors and more. We, as an industry, are spreading this critical information to many physical points; any one of which could be a potential breach point for identity theft. There is simply no need to assume such risk. Most of these claims could be managed without the inclusion of a social security number on a plethora of documents.
Some states have taken steps in recent months to minimize this exposure. North Carolina and Texas recently removed or will be removing full social security number fields from many forms, opting either for no number or just the last four digits. Kentucky has removed the number entirely from several forms, and I understand Maine and Oklahoma are starting to do so as well.
It is a nascent trend that is long overdue.
I do understand the inclusion of that information on initial FROI’s, but with a valid claim number it should be absolutely unnecessary on subsequent documents. I would encourage all state regulators to make an urgent review of their divisions requirements and practices in this area. We should neither willingly nor obliviously aid criminals who wish to exploit our vulnerabilities for their own selfish gain.
Injured workers’ have enough to worry about without the potential financial ruin that can accompany identity theft. We must as an industry do whatever possible to protect the integrity of their personal information. After all, some scumbag who steals your identity is very unlikely to return it. The best defense in preventing that from occurring is not to provide the tools for them in the first place.