Health providers' Social Security numbers posted on state site

December 8, 2006


At least several hundred, likely more, Social Security numbers of health care providers were posted to the Internet in a state contractor's mistake that officials were scrambling to fix Friday.

Human Resources Commissioner Linda McIntire said the names and Social Security numbers of doctors, psychologists and others were posted on a Web site where the state had posted a request for bids by contractors to be the state's health insurance administrator.

"Despite the fact that the information was open to access, we have no evidence to date to indicate that your Social Security number was obtained by anyone intending to misuse it," said a letter sent Friday by McIntire to medical and mental health care providers.

Social Security numbers are considered golden for identity thieves, who can use them to get access to bank accounts and take out credit cards or loans using the identity of the person identified by the number.

McIntire also wrote a stinging letter to the Segal Group, a New York-based consulting firm the state had used to help it put the health management contract out to bid. She said in an interview that Gov. Jim Douglas "is furious, and that's an understatement."

"We can hardly begin to express our disappointment that you allowed this to happen," McIntire wrote to the Segal Group. "We contracted with Segal and have used your services, at considerable expense, in order to have expert assistance from professionals who consistently deal with the challenges of seeking and evaluating bids from health care administrators. We did not expect to encounter this kind of problem as a result of your work."

McIntire said the state was nearing the end of a two-year contract with Segal with a price cap of $681,000.

Mary Feldman, a spokeswoman for Segal, said, "We have just learned about this. ... We're looking into the circumstances. And we're very committed to working with our client, the state of Vermont, to support those who are affected. ... We have called the state and we are waiting for their response."

Commissioner Thomas Murray of the state Department of Information and Innovation said his staff had been working since first learning of the problem on Monday to make sure the information is no longer on the Internet.

"We've taken all the appropriate steps to clean it up in all the places where it might have lived," Murray said, adding that "we're pretty confident" the effort had been successful.

McIntire said the information was posted on the Web site on which the state calls for bids on contracts from May 12 and was taken down June 19. But she said a doctor, whom she would not identify, told the state that her Social Security number was on the Internet as of this week.

The giant search engine Google allows Internet users to search "cached" Web pages, which allow the viewer to see what the page looked like at some time in the past.

Murray declined to say whether that was the method used to access the late spring Web posting this week. He also would not provide other details, saying he didn't want to provide information that might be helpful to someone bent on identity theft.

Assistant Attorney General Julie Brill said she had been told state officials had "confirmed with Google that the cached pages are no longer available."

Robert Snapp, an associate professor of computer science at the University of Vermont, said it's impossible to be completely sure that something once posted to the Internet isn't still available in cyberspace despite efforts to remove it.

"It's just a message that you have to be very careful what you put on the Web in the first place," Snapp said.

The state self-insures, providing medical and mental health coverage for 22,000 current and retired employees and their dependents, McIntire said. It hires an outside contractor to process claims. The health insurance giant CIGNA has held the contract for the past five years, and was the winning bidder to continue in that role.

For new bidders to provide a cost estimate, McIntire said, they needed to know what sort of bills health care providers had submitted in the past. Segal got from CIGNA a list of providers and their taxpayer identification numbers, which McIntire said is the standard tool with which the health insurance industry processes claims. In many instances, she said, providers' taxpayer identification numbers were the same as their Social Security numbers.

Paul Harrington, executive director of the Vermont Medical Society, said that beginning in March there will be a new system under the federal Medicare insurance program that will provide provider identification numbers to health professionals. He said it's expected those numbers will soon be used by the private insurance industry as well.

"Obviously with the frequency of identity theft, to have physicians' and other health care providers' Social Security numbers on the Internet through a state of Vermont web site is an unfortunate mistake," Harrington said.

Brill said those affected should get a credit report and closely monitor credit card and checking accounts to be sure they have not become victims of fraud. She said her office's Web site has a link for people who believe they may have been victims of identity theft.

main page ATTRITION feedback