[Senate Hearing 114-857]
[From the U.S. Government Publishing Office]


                                                      S. Hrg. 114-857

                        PROTECTING SENIORS FROM
                     IDENTITY THEFT: IS THE FEDERAL
                        GOVERNMENT DOING ENOUGH?

=======================================================================

                                HEARING

                               BEFORE THE

                       SPECIAL COMMITTEE ON AGING

                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             WASHINGTON, DC

                               __________

                            OCTOBER 7, 2015

                               __________

                           Serial No. 114-14

         Printed for the use of the Special Committee on Aging
         
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]         


        Available via the World Wide Web: http://www.govinfo.gov
        
                               __________
 
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
48-680 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------   
       
                       SPECIAL COMMITTEE ON AGING

                   SUSAN M. COLLINS, Maine, Chairman

ORRIN G. HATCH, Utah                 CLAIRE McCASKILL, Missouri
MARK KIRK, Illinois                  BILL NELSON, Florida
JEFF FLAKE, Arizona                  ROBERT P. CASEY, JR., Pennsylvania
TIM SCOTT, South Carolina            SHELDON WHITEHOUSE, Rhode Island
BOB CORKER, Tennessee                KIRSTEN E. GILLIBRAND, New York
DEAN HELLER, Nevada                  RICHARD BLUMENTHAL, Connecticut
TOM COTTON, Arkansas                 JOE DONNELLY, Indiana
DAVID PERDUE, Georgia                ELIZABETH WARREN, Massachusetts
THOM TILLIS, North Carolina          TIM KAINE, Virginia
BEN SASSE, Nebraska
                              
                              ---------- 
                              
               Priscilla Hanley, Majority Staff Director
                 Derron Parks, Minority Staff Director
                         
                         
                         C  O  N  T  E  N  T  S

                              ----------                              

                                                                   Page

Opening Statement of Senator Susan M. Collins, Chairman..........     1
Opening Statement of Senator Claire McCaskill, Ranking Member....     3

                           PANEL OF WITNESSES

Sean Cavanaugh, Deputy Administrator and Director, Center for 
  Medicare, Centers for Medicare and Medicaid Services, U.S. 
  Department of Health and Human Services........................     5
Gary Cantrell, Deputy Inspector General for Investigations, 
  Office of Inspector General, U.S. Department of Health and 
  Human Services.................................................     7
Betty Balderston, Statewide Coordinator, Maine Senior Medicare 
  Patrol.........................................................     8
Marc Rotenberg, President, Electronic Privacy Information Center.     9

                                APPENDIX
                      Prepared Witness Statements

Sean Cavanaugh, Deputy Administrator and Director, Center for 
  Medicare, Centers for Medicare and Medicaid Services, U.S. 
  Department of Health and Human Services........................    27
Gary Cantrell, Deputy Inspector General for Investigations, 
  Office of Inspector General, U.S. Department of Health and 
  Human Services.................................................    35
Betty Balderston, Statewide Coordinator, Maine Senior Medicare 
  Patrol.........................................................    45
Marc Rotenberg, President, Electronic Privacy Information Center.    49

                        Questions for the Record

Sean Cavanaugh, Deputy Administrator and Director, Center for 
  Medicare, Centers for Medicare and Medicaid Services, U.S. 
  Department of Health and Human Services........................    61
Gary Cantrell, Deputy Inspector General for Investigations, 
  Office of Inspector General, U.S. Department of Health and 
  Human Services.................................................    62

 
                        PROTECTING SENIORS FROM
                     IDENTITY THEFT: IS THE FEDERAL
                        GOVERNMENT DOING ENOUGH?

                              ----------                              


                       WEDNESDAY, OCTOBER 7, 2015

                                       U.S. Senate,
                                Special Committee on Aging,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:09 p.m., Room 
562, Dirksen Senate Office Building, Hon. Susan M. Collins, 
Chairman of the Committee, presiding.
    Present: Senators Collins, Tillis, McCaskill, Casey, and 
Donnelly.

                 OPENING STATEMENT OF SENATOR 
                   SUSAN M. COLLINS, CHAIRMAN

    The Chairman. Good afternoon. The Committee will come to 
order.
    First, let me explain to our witnesses and those who are 
here today the unusual situation on the Senate floor in which 
we find ourselves. Much to our surprise, two votes were 
scheduled for 2:00 p.m. I have cast the first of those votes. 
My colleague and Ranking Member Senator McCaskill is on her way 
to cast that vote. Then the second vote will occur, and we each 
will have to go vote and have a short recess. Also complicating 
this afternoon's schedule is a classified briefing on Syria.
    I will beg the indulgence of our witnesses for less than a 
full attendance today due to conflicting events, such as the 
two votes on the DOD policy bill and also the classified 
briefing on Syria. Nevertheless, I do want to welcome you all 
here today.
    It comes as no surprise that Americans are very concerned 
about the risk of identity theft. According to a recent Harris 
poll, 70 percent of respondents cited identity theft as among 
their greatest security-related concerns, ahead of terrorism, 
personal safety, and natural disasters.
    Last year, more than 332,000 Americans reported being 
victimized by someone who had stolen their identity. According 
to the Federal Trade Commission, 28 percent of those identity 
theft complaints were reported by seniors. This is not a new 
problem. In fact, the FTC reports that identity theft has been 
its number one consumer complaint over the past 15 years.
    More than a decade ago, the Government Accountability 
Office cited the widespread use of Social Security numbers as 
identifiers by both public and private sector organizations as 
a major factor allowing criminals to commit identity theft. 
Subsequently, in 2007, the Office of Management and Budget 
directed all Federal agencies to develop plans for reducing the 
unnecessary use of Social Security numbers as identifiers in 
order to help protect individuals against identity theft.
    Since then, many Federal agencies that had used Social 
Security numbers as identifiers, including the Department of 
Defense and the Department of Veterans Affairs have removed 
these numbers from their identification cards. Private health 
insurers and State agencies have also discontinued their use of 
Social Security numbers. Yet, the Centers for Medicare and 
Medicaid Services, which provides Medicare cards for 55 million 
seniors and disabled individuals, still has not.
    While five years have elapsed since the OMB order to reduce 
unnecessary use of Social Security numbers, the GAO found in 
2012 and again in 2013 that CMS's efforts lagged behind other 
agencies and the private sector. As a consequence, the 55 
million Medicare cards in use today still clearly display an 
individual's Social Security number.
    Last March, Ranking Member McCaskill and I wrote to CMS to 
ask what steps the agency was taking to remove Social Security 
numbers from Medicare cards. In its response, CMS told us that 
it would, ``likely take approximately two to three years to 
make the necessary system modifications, conduct an outreach 
and education campaign, and issue new cards.''
    Since it was increasingly clear that CMS officials were 
going to continue to drag their feet, in April, Congress passed 
and the President signed into law, a law that requires CMS to 
remove Social Security numbers from all Medicare cards.
    In May, ten members of this Committee joined Ranking Member 
McCaskill and me in sending yet another letter to CMS, asking 
that we be further updated of its plans. In its response to 
this letter, CMS told us that they now anticipated that it 
would take four years to complete the project and that 
communications activities would continue through April 2019. In 
other words, CMS has actually lengthened its estimate of the 
time needed to solve this problem first identified by the GAO 
eleven years ago.
    This afternoon's hearing will allow us to hear from CMS why 
its completion of this important project, which is essential to 
help protect seniors from identity theft, has taken so long.
    For the victims of identity theft, the stakes are high. 
Identity thieves can drain bank accounts, make unauthorized 
credit card charges, and damage credit reports. When medical 
identity theft occurs, the thief can obtain medical care, buy 
drugs, and submit fake billings to Medicare. Some identity 
thieves have even used stolen personal information to obtain 
medical care for themselves or others. This can actually put 
lives at risk if the theft is not detected and the wrong 
information winds up in a victim's medical file.
    Moreover, it is not at all unusual for a victim of medical 
identity theft to be unaware that his or her personal 
information has been stolen. According to a 2015 study 
sponsored by the Medical Identity Theft and Fraud Alliance, on 
average, victims learn about the theft of their information 
more than three months following the crime. Some victims may 
never know how or when their medical identity was stolen 
because the criminals often hold the stolen information for 
months or even years before using or selling it.
    Our witness from the Office of the Inspector General will 
discuss what the OIG and its law enforcement partners are doing 
to combat medical identity theft and health care fraud.
    I also want to take a moment to give a special welcome to 
Betty Balderston from Winthrop, Maine. Ms. Balderston is the 
statewide Coordinator for the Senior Medicare Patrol in our 
State. Senior Medicare Patrol volunteers work locally to 
empower seniors and their families to fight health care fraud 
and abuse and to help them to identify identity theft.
    We can reduce the likelihood of identity theft through 
tougher prosecution, consumer education, and by removing Social 
Security numbers from Medicare cards without endless delays. I 
look forward to hearing from our witnesses.
    Senator McCaskill, I have explained the difficult schedule 
we are all operating under today. Please proceed with your 
statement.

                 OPENING STATEMENT OF SENATOR 
                CLAIRE McCASKILL, RANKING MEMBER

    Senator McCaskill. Thank you so much. Thank you, Chairman 
Collins.
    I am pleased we are holding a hearing on such an important 
issue. Given the recent passage of H.R. 2, the Medicare Access 
and CHIP Reauthorization Act of 2015, this hearing is both 
timely and very necessary. Today, we will again examine a 
problem causing significant angst to many Americans, especially 
our seniors.
    Identity theft occurs when personal identifying 
information, like a Social Security number, is stolen to 
fraudulently establish lines of credit, to make unauthorized 
credit card charges, and to drain bank accounts. More specific, 
medical identity theft, the fastest growing form of health care 
fraud, occurs when stolen personal information is used to 
submit fraudulent billings to Medicare or Medicaid, or to apply 
and actually receive Social Security benefits.
    Social Security numbers are exceptionally valuable to an 
identity thief. Therefore, the visual display of Social 
Security numbers on Medicare cards has played a significant 
role in putting Medicare beneficiaries, including more than 41 
million seniors, at risk of identity theft.
    Our seniors are particularly vulnerable. They use their 
Social Security numbers for a variety of reasons, including 
financial transactions and to obtain health services. More 
often than not, seniors carry their Medicare cards with them, 
as instructed by providers, which makes them more susceptible 
to identity thieves. Removal of the Social Security number from 
the Medicare card is a critical step toward hopefully reducing 
the number of seniors who are currently being targeted.
    Moreover, we have seen an alarming number of cybersecurity 
breaches of health care providers in the last several years. 
That means in addition to stealing information directly out of 
a senior's pocket, thieves can simply hack into a Medicare 
provider's system and take thousands of Social Security 
numbers.
    In 2007, the Office of Management and Budget issued 
requirements for the protection of personally identifiable 
information. These requirements directed all Federal agencies 
to reduce and eliminate usage of Social Security numbers. Since 
then, Federal agencies, such as the Department of Defense and 
the Department of Veterans Affairs, moved away from Social 
Security numbers as identification. Additionally, private 
health insurance companies, universities, and states have 
abandoned the practice of using Social Security numbers as 
identifiers.
    Yet, the CMS, the Centers for Medicare and Medicaid 
Services, continues to place Social Security numbers on more 
than 50 million Medicare cards currently in use. In fact, CMS 
has made minimal steps toward removing Social Security numbers 
from Medicare cards despite continued warnings from the 
Government Accountability Office in 2004, in 2012, in 2013, and 
2015 that the practice places millions of people at risk of not 
only identity theft, but severe financial loss.
    In 2014, the Federal Trade Commission reported that 
Missouri ranked fourth among states for identity theft and 
fraud complaints. That is after ranking 23rd the previous year. 
A 77 percent increase in complaints is not only substantial, it 
is alarming.
    Transitioning from the use of Social Security numbers as 
identifiers to an alternative identifier is no doubt an arduous 
task. However, there is no excuse for inaction when the safety 
and financial security of our seniors is at stake. Though CMS 
has offered a proposed plan and timeline, it has been, 
``planning to switch from using Social Security numbers as 
identifiers to alternative identifiers for almost a decade.''
    The time for action has long passed. Now that funding has 
been allocated, there is no time to waste. Our seniors cannot 
afford to wait. My hope is that through this hearing, we get a 
sense of CMS's plan, implementation process, and timeline to 
permanently remove Social Security numbers from Medicare cards 
to better protect our seniors.
    I thank Chairman Collins for her attention to this issue. 
She has been dogged in her pursuit of getting Social Security 
numbers off Medicare cards, and I look forward to hearing from 
our witnesses. I know she has probably explained we have an 
important security briefing on Syria for the Armed Services 
Committee, and so I do not want anyone to think I do not think 
this is important if I slip out long enough to get the secure 
briefing. My hope is to return before the hearing is concluded.
    Thank you very much, Chairman.
    The Chairman. Thank you.
    I would now like to call on our colleague, Senator Tillis. 
He, too, is on Armed Services and has to attend that classified 
briefing, so I am going to ask if he has some comments he would 
like to make.
    Senator Tillis.
    Senator Tillis. Thank you, Madam Chair.
    I did want to apologize. We were late because we had a 
vote, and we have to leave a little bit early to get off to a 
security briefing. Senator McCaskill and I rode up in the 
elevator together and we were talking about how glad we were 
that the Chair is holding this hearing.
    I do not understand the difficulty here. I mean, this is a 
blinding flash of the obvious in terms of what we need to do. 
Why you have been thinking it for 10 years and not taking 
action makes no sense to me. It defies any best practices in 
other government organizations and certainly in the private 
sector.
    I appreciate you all for the work that you are doing. I 
think that this is not a discussion about trying to sort out 
what needs to be done. It is really a discussion why it is not 
already done.
    I hope to get back so that I can hear some of your 
testimony and have an opportunity to ask you questions, but I 
thank you all for being here, and I know that I think I speak 
for many members of this Committee that we all agree that this 
is action that needs to be taken promptly in defense for our 
seniors. Thank you.
    The Chairman. Thank you very much.
    Now, we will turn to our panel of witnesses. First, we will 
hear from Mr. Sean Cavanaugh. He is the Deputy Administrator 
and Director of the Center for Medicare at the Centers for 
Medicare and Medicaid Services.
    Next, we will hear from Gary Cantrell, the Deputy Inspector 
General for Investigations at the Department of Health and 
Human Services.
    We will then hear from our witness from the great State of 
Maine, Betty Balderston, the statewide Coordinator for the 
Maine Senior Medicare Patrol. She has done an impressive job of 
recruiting some 80 volunteers across the State to assist her, 
and I am looking forward to hearing her testimony.
    Finally, we will hear from Marc Rotenberg, the Executive 
Director of the Electronic Privacy Information Center.
    We thank you all for joining us and we will start with your 
testimony, Mr. Cavanaugh.

              STATEMENT OF SEAN CAVANAUGH, DEPUTY

                  ADMINISTRATOR AND DIRECTOR,

                CENTER FOR MEDICARE, CENTERS FOR

              MEDICARE AND MEDICAID SERVICES, U.S.

            DEPARTMENT OF HEALTH AND HUMAN SERVICES

    Mr. Cavanaugh. Good afternoon, Chairman Collins, Ranking 
Member McCaskill, and Senator Tillis. Thank you for inviting me 
to testify today on CMS's work to remove Social Security 
numbers from Medicare cards.
    When the Medicare program was created in 1965, it was 
administered by the Social Security Administration. While CMS 
is now responsible for the management of Medicare, the Social 
Security Administration still enrolls beneficiaries and both 
agencies rely on interrelated systems to coordinate Social 
Security and Medicare eligibility.
    Upon enrollment, Medicare beneficiaries are assigned 
identification numbers, known as Health Insurance Claim 
Numbers, or HICNs, which are based upon a beneficiary's Social 
Security number. Providers use the HICN when they submit claims 
for services and supplies. CMS and its contractors also use the 
HICN to process claims, authorize payments, and issue 
beneficiary communications.
    Thanks to the Medicare Access and CHIP Reauthorization Act, 
or MACRA, which was enacted earlier this year, CMS will 
eliminate the Social Security number-based identifier on 
Medicare cards by April 2019. CMS has already begun the process 
of replacing the current HICN with a Medicare Beneficiary 
Identifier, or MBI, which will help beneficiaries better 
safeguard their personal information by reducing the exposure 
of their Social Security numbers. CMS will be able to terminate 
a compromised MBI and issue a new number as soon as it is 
reported as compromised, similar to how credit card companies 
respond to stolen card numbers.
    This is a substantial undertaking requiring coordination 
with Federal, State, and private stakeholders, updating and 
modifying numerous IT systems, and conducting extensive 
outreach to beneficiaries, providers, and other stakeholders. 
CMS must accomplish these tasks without disrupting 
beneficiaries access to care or payments to providers. CMS will 
assure a smooth transition by moving forward thoughtfully and 
taking lessons learned from other large scale, complex IT 
projects.
    CMS will develop, test, and execute systems modifications 
in a way that ensures compatibility with multiple outside 
systems, including every entity that bills Medicare. This work 
will affect more than 75 systems within CMS and 57 unique 
State, territorial, and Federal partners' IT systems. For 
example, the Social Security Administration and the Railroad 
Retirement Board will need to modify their eligibility 
enrollment systems, and the Medicare Administrative Contractors 
will need to modify systems to authorize coverage and process 
claims.
    Once systems modifications are in place, CMS will initiate 
an extensive and phased outreach program for an estimated 60 
million Medicare beneficiaries. We will have a series of 
communications that will inform beneficiaries that they will be 
receiving a new card, instruct them on how the new card should 
be used, and how to dispose of their old card. We will also 
work with Medicare providers on this transition and instruct 
them on how to use MBIs to submit claims and conduct other 
transactions. We must also ensure that private health plans, 
other insurers, and State Medicaid agencies are instructed on 
how to use MBIs so they can continue their coordination of 
benefit activities.
    Throughout this transition, CMS will continue to prevent 
and detect fraud by educating beneficiaries about the risks of 
medical identity theft. Information is available online and in 
the ``Medicare and You'' handbook, which is distributed to all 
Medicare households each fall. In these publications, 
beneficiaries are advised to guard personal information, check 
medical bills and billing summaries, be wary of telemarketers 
and anyone who offers free medical equipment or services, and 
alert CMS or the Inspector General if they see signs of fraud.
    In addition, we will continue to add compromised HICNs to 
our Compromised Number Checklist. This data base includes 
compromised provider and beneficiary numbers obtained through 
fraud investigations and complaints from providers or 
beneficiaries. CMS uses the checklist to inform sophisticated 
analytics through the Fraud Prevention System. This system 
identifies aberrant and suspicious billing patterns. Output 
from the Fraud Prevention System helps CMS focus its 
investigative resources on the misuse of HICNs and other 
egregious behavior. Through these investigations, CMS may make 
referrals to law enforcement or take other administrative 
actions, including revoking a provider's billing privileges or 
implement a payment suspension.
    The transition from HICNs to MBIs is complex. It requires 
complicated Federal, State, and private sector systems 
modifications and significant outreach to beneficiaries and 
providers. CMS is fully committed to completing this project on 
time to protect Medicare beneficiaries and the trust funds from 
fraud while minimizing confusion and disruption from denied 
claims or access to services.
    Thank you for your continued interest in Medicare and the 
beneficiaries we serve and we look forward to working with you 
to protect and strengthen the program. Thank you.
    The Chairman. Thank you very much.
    Mr. Cantrell.

               STATEMENT OF GARY CANTRELL, DEPUTY

             INSPECTOR GENERAL FOR INVESTIGATIONS,

          OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT

                  OF HEALTH AND HUMAN SERVICES

    Mr. Cantrell. Good afternoon, Chairman Collins, and thank 
you for the opportunity to talk today about OIG's efforts to 
combat medical identity theft in Medicare.
    Medical identity theft can create patient safety risk and 
impose financial burdens on those affected and may also lead to 
significant financial losses for Medicare. Of concern are 
external threats posed by criminal enterprises and professional 
identity thieves, as well as internal threats from company 
owners, employees, practitioners, and patients who participate 
in these fraud schemes.
    Combating medical identity theft is among OIG's highest 
priorities. OIG advances our mission through a robust program 
of investigations, audits, evaluations, and compliance efforts. 
Combining data analytics with field intelligence, we identify 
areas most vulnerable to fraud and deploy our resources to 
ensure the greatest impact from our work.
    OIG works closely with the Department of Justice, CMS, and 
other Federal and State law enforcement partners to bring those 
who commit fraud against our program and beneficiaries to 
justice. Our Medicare Fraud Strike Force Teams located in nine 
cities throughout the country exemplify this approach. The OIG 
and our partners are committed to fighting and preventing 
fraud, waste, and abuse.
    Our efforts have produced significant results, including 
over 4,300 criminal and civil actions, over 11,000 exclusions, 
and nearly $11 billion in investigative receivables in the last 
three years. Since 1997, we have recovered more than $27 
billion to the Medicare Trust Fund.
    Despite these successes, more needs to be done. Fraud 
schemes are constantly evolving and migrating. Identity theft 
is now a common component of many fraud schemes we encounter. 
The patient and provider identifiers represent the keys to 
Medicare reimbursement, and as a result, both are targeted for 
identity theft.
    We have seen a variety of identity theft-related schemes in 
our enforcement work. Our cases include company owners that pay 
kickbacks to identity thieves for patient information, health 
care providers that steal the identity of another practitioner, 
and patients who participate in fraud schemes by selling their 
sensitive data for some sort of monetary gain or kickback.
    Annual Medicare spending is approaching $600 billion. An 
estimated 10,000 individuals become newly eligible each day. As 
the program continues to grow and evolve, criminals will 
continue to target the Medicare program for fraud. The need to 
protect the beneficiaries it serves from identity theft has 
never been more important.
    It will take an all hands-on deck approach. This includes 
targeted enforcement, such as our Medicare Fraud Strike Force 
teams, in collaboration with our external partners, including 
our program integrity and private sector contacts.
    It is also critical that we continue to educate our seniors 
so they can take steps to avoid being victimized by identity 
thieves. I would like to commend the Senior Medicare Patrol for 
their efforts in this area and express our commitment to work 
with the SMPs to educate seniors about identity theft.
    We would also like to thank Congress for your efforts to 
prevent medical identity theft, including this important 
hearing and recent legislation that requires the removal of the 
Social Security number from Medicare cards. We appreciate your 
sustained commitment toward our mission and your interest in 
this vital issue of protecting our seniors from identity theft.
    Finally, we encourage seniors to notify OIG's hotline if 
they suspect the fraudulent use of their Medicare number, 
either by visiting our website or by calling 1-800-HHS-TIPS.
    Thank you for the opportunity to speak with you today, and 
I would look forward to any questions you have.
    The Chairman. Thank you very much for your testimony.
    Ms. Balderston.

           STATEMENT OF BETTY BALDERSTON, STATEWIDE 
           COORDINATOR, MAINE SENIOR MEDICARE PATROL

    Ms. Balderston. Chairman Collins, I am honored to be here 
today to share information about the SMP projects in Maine and 
across the country and how we educate, empower, and provide 
assistance to Medicare beneficiaries, their families, and their 
caregivers to prevent Medicare errors, fraud, and abuse, 
including identity theft.
    Since my written testimony provides statistics and other 
details about our ongoing efforts to provide outreach, 
education, counseling, and assistance to seniors and people 
with disabilities receiving Medicare, I will focus my oral 
comments on the types of scams that have been reported and that 
relate to identity theft.
    In 2013, the Maine SMP received reports of callers claiming 
to represent Medicare and providing information about the 
issuance of new Medicare cards. The caller requested the 
person's Medicare number and their financial information. This 
same scam has surfaced again since Congress ordered Social 
Security numbers be removed from Medicare cards.
    According to reports from SMPs in other states, callers 
claiming to be from Medicare have contacted Medicare 
beneficiaries about other scams that include replacing their 
Medicare plan with an Obamacare plan and setting up home 
visits. In each instance, the caller requested personal 
information, including the beneficiary's Medicare number.
    On behalf of the SMPs nationwide, I applaud the efforts of 
Congress to eliminate the use of Social Security numbers on 
Medicare cards. This change will help address the issue of 
identity theft.
    However, our work is not finished. Scam artists are always 
ready to take advantage of the country's most vulnerable 
individuals, including seniors and people with disabilities. 
They are experts in gaining trust and stealing money and 
benefits from unsuspecting victims.
    A few years ago at a health care fraud panel presentation 
in Bangor, Maine, a senior reported he was a victim of identity 
theft, impacting his life for the previous five years.
    The SMPs are the front-line boots-on-the-ground programs 
that provide outreach, education, counseling, and assistance to 
individuals every day. Our volunteer programs work, with 
seniors helping seniors every single day to help our vulnerable 
citizens remain safe and to protect their identities.
    As the Centers for Medicare and Medicaid Services continue 
their work of transitioning to new Medicare cards, the SMP 
programs nationwide will continue our work, providing education 
about identity theft to Medicare beneficiaries, their families 
and caregivers, empowering them to protect their identities and 
to safeguard the Medicare program.
    I would like to thank CMS for its recent outreach and 
education campaign on Medicare fraud that includes television 
ads, a blog, and a You Tube video. I am proud to say that one 
of our Maine SMP volunteers, Stan Cohen, is actually part of 
that TV ad, providing information on the importance of reading 
Medicare statements. In rural states like Maine, TV ads are the 
most effective way of reaching Medicare beneficiaries statewide 
with our important messages.
    By all of us continuing to work together, we can make a 
difference in the lives of seniors and people with disabilities 
nationwide, empowering them to protect themselves against fraud 
and scams.
    Thank you again for the opportunity to be here today on 
behalf of the Senior Medicare Patrol programs, and I am happy 
to answer any questions you may have.
    The Chairman. Thank you very much.
    Mr. Rotenberg.

            STATEMENT OF MARC ROTENBERG, PRESIDENT, 
             ELECTRONIC PRIVACY INFORMATION CENTER

    Mr. Rotenberg. Chairman Collins, members of the Committee, 
thank you for the opportunity to be here today. My name is Marc 
Rotenberg. I am President of the Electronic Privacy Information 
Center. I also teach privacy law at Georgetown. I have been 
studying privacy issues related to the Social Security number 
for almost 25 years, and I just want to say how very grateful 
we are for your work on the Social Security number issue.
    There is no number that is more critical in record linkage 
and data base management in the United States, and there is no 
number that poses a greater risk to personal privacy and 
financial security. It is very important to continue to remove 
the Social Security number from identification documents that 
are used in the United States.
    In my testimony, I provide a great deal of history about 
the use and misuse of the SSN for personal identification. In 
my oral testimony, I would like to just highlight a few of the 
key points which I think underscore the need for the CMS to 
move quickly to take the SSN off the Medicare card.
    Now, as you know, this is not a new issue for Congress. In 
fact, back in 1973, a very famous report called ``Records, 
Computers, and the Rights of Citizens'' explicitly recommended 
that the SSN be removed from record management systems in the 
United States, and the Privacy Act of 1974, which was passed 
the following year, has a very specific provision, and it 
essentially tries to limit the use of the SSN across the 
Federal agencies, but as we all know, even with that 
restriction in place, the SSN continues to be used in the 
Federal Government and in the private sector.
    In 1991, I testified before a House committee, and I warned 
at that time that the use of the SSN would contribute to 
increasing financial fraud in the United States. We did not 
even have the term ``identity theft'' at the time. All we knew 
back then was that the Social Security number was being used by 
criminals to gain access to people's bank accounts and their 
financial records.
    In the 1990's, we also worked with the IRS to get the SSN 
off of the mailings that come from the IRS. We also worked with 
State governments to get the SSN out of State record systems, 
and we even had a case in Virginia where we got the SSN out of 
the voting rolls.
    Now, as you have described, from about 2004, the GAO and 
other government reports made clear the need to get the SSN off 
of patient record identity documents, because what we have now 
seen is that in no sector is the problem of identity theft more 
severe than it is in the medical records sector. All of the 
reports point to the highest level of data breach and identity 
theft taking place in the medical records sector. That is where 
Americans are most vulnerable, and that is also where the 
elderly are particularly vulnerable. The Department of Justice 
and the Federal Trade Commission have both pointed to the 
increasing levels of identity theft among the American elderly 
based on the availability of the Social Security number.
    Now, I have studied recently some of the history associated 
with the CMS and I simply do not understand the delay. We 
looked at the other Federal agencies and we looked at the 
Department of Defense, which has an extraordinarily complex 
record management program across many, many different 
components, and it is clear that the Department of Defense over 
the last several years has moved very aggressively and 
purposefully to get the Social Security number off DOD identity 
documents to make sure that that number is not even embedded in 
the magnetic strip, and I think the Department of Defense 
should be commended for the very good work they have done on 
behalf of servicemembers and their families, but it is not only 
DOD. Health care providers, the Harvard Community Healthcare 
Program took the SSN off of their identity documents. State 
governments have passed laws to have the SSN removed from the 
private payment identity documents. Every institution in this 
country is moving to get the Social Security number off of 
health ID documents.
    I think it is abundantly clear at this point in time that 
the greater delay is leaving Americans at risk, and American 
elderly communities are those who are most vulnerable, so thank 
you again for holding this hearing.
    The Chairman. Thank you for your excellent testimony.
    Senator Donnelly, have you voted yet on the second vote?
    Senator Donnelly. I have.
    The Chairman. Senator Donnelly, I am going to go into 
recess so that I can go vote, but if you want to----
    Senator Donnelly. I have to go to the briefing.
    The Chairman. You have to go to the classified briefing. We 
have a lot of overlap on our Committee. Thank you for coming 
by. I know this is an issue that you care deeply about.
    We will take an approximately 15-minute recess so that I 
can go to the floor, vote, and then I will return. Thank you 
for your patience.
    [Recess.]
    The Chairman. The Committee will resume the hearing, and 
let me welcome our colleague, Senator Casey. We are very glad 
that you could join us, and again, my apologies for the 
unpredictable Senate schedule that we have to cope with.
    Mr. Cavanaugh, let me start my questions with you. In 2004, 
more than a decade ago, the GAO reported that Social Security 
numbers are ``a key piece of information used in identity 
thefts.'' At the time of that report in 2004, most states had 
already taken Social Security numbers off of their drivers' 
licenses in recognition of this threat.
    Then we had a series of other reports. One of our 
witnesses, Mr. Rotenberg, mentioned a landmark that also could 
have been added to this list.
    In 2007, OPM issued a governmentwide order telling agencies 
to drop the use of Social Security numbers as an identifier. 
The Department of Defense, the Veterans Affairs Department 
complied. Several more states, private insurers, Harvard 
Pilgrim, as was mentioned, also stopped using it as an 
identifier.
    Then in 2008, we had the Inspector General of the Social 
Security Administration recommending the removal of the Social 
Security number from Medicare cards.
    In 2012, the same recommendation came from the Inspector 
General of HHS, the broader Department.
    I would add to this chart that Congress has weighed in on 
this issue many times, including this year in April as part of 
the change in the formula for doctors' reimbursements, passing 
a requirement that ordered--mandated--the Medicare agency to 
remove the SSN from the card.
    Now, I do recognize you are dealing with 55 to 60, I 
believe you said, million Americans and that this is a big 
project, but the Department of Defense, as another witness 
pointed out today, is hardly a small agency. The VA also deals 
with millions of Americans, and both those departments managed 
to get the Social Security numbers off of their ID cards four 
years ago, so why has it taken so long for CMS to tackle this 
issue? Why do you now predict that you are going to need the 
entire four years, to 2019, which is, after all, 15 years after 
the first red flag about this issue, before the numbers are no 
longer on the Medicare cards?
    Mr. Cavanaugh. Thank you, Chairman, for the question. It is 
an excellent and fair question. The short answer to your first 
question of what took us so long is funding, and in that 
respect, I applaud Congress, but specifically the leadership 
that this Committee has shown. As you know, the President's 
budget this year requested funding for this project, and just 
months after the President's budget was issued, Congress acted 
through MACRA and provided the funding, so we are pleased that 
we have a path forward. We have hit the ground running and we 
are working on a project that will get the Social Security 
numbers off the Medicare cards.
    We had, prior to that funding, made some incremental 
improvements, so for example, we have over 16 million Medicare 
beneficiaries in private Medicare Advantage plans, and at our 
direction, the Medicare Advantage plans have gotten the Social 
Security number off the cards that they use. We have gotten the 
HICN number of some of our communications with beneficiaries, 
such as the summary notices that go out quarterly, but I think, 
it is most importantly to do the job right and to do it 
completely, we needed the funding that Congress has provided, 
so we thank you for that and we look forward to accomplishing 
this.
    As to the question of why it is going to take time, I think 
it is important to understand two things. One, as you pointed 
out, and I appreciate you recognizing it, it is a complex 
technological challenge. There are within CMS over 75 systems 
that need to be updated, but more importantly, and unlike our 
colleagues at DOD and VA, we deal with many external partners, 
be they states, our administrative contractors, the Social 
Security Administration, so technologically, we are going to 
have to coordinate with them and make sure their systems are 
changed at the same time.
    The wild card in all this is how we roll it out to 
beneficiaries and providers. As you know--so, we anticipate 
when we roll this out, there will be 60 million Medicare 
beneficiaries. There are closer to 55, 56 million today. There 
are also, importantly, 1.5 million providers who bill Medicare. 
We have made a decision at CMS not to throw a switch one day 
and send all the cards out at one time and change the world in 
one fell swoop.
    A significant part of the calendar and timeline that we 
have established is a phased rollout that will give us time to 
educate both beneficiaries and providers on why the card is 
being changed, what they should do with it, to try to help 
distinguish this action from some of the fraudulent actions 
that you have heard about, because we have been training 
Medicare beneficiaries to be very suspicious about mailings and 
things like this, so we have got to make sure they understand 
this is one they can trust, so I think that is part of the 
timeline that often gets overlooked.
    We recently learned about the importance of really doing an 
extended outreach and education with the ICD-10 implementation, 
which just started recently, so we worked with providers over 
several years in that case, and I think it really accrued to 
our benefit and to the benefit of providers.
    Again, we thank Congress for the funding. I think it set us 
on a path to get where we all want to be, which is to get the 
number off the cards.
    The Chairman. Mr. Cavanaugh, 10,000 Americans are turning 
age 65 every day and, thus, eligible for Medicare. Would it not 
make sense to use an incremental approach and start with those 
new beneficiaries? You are not going to have to swap the cards 
out. There is no educational effort involved because they are 
coming in for the first time and getting their card, and I can 
tell you, though I will be interested if Mr. Rotenberg can add 
to this, that I believe health care providers would adapt in a 
nanosecond to this change and, indeed, welcome this change.
    Why would you not start with those 10,000 new beneficiaries 
that are coming into your offices around the country every day 
to enroll in Medicare? There is no education requirement. Why 
does that not make sense, and that would not be an expensive 
effort.
    Mr. Cavanaugh. You are correct, and that is a very 
attractive option. The problem, and the reason we are not 
pursuing that track, is that it is not simply a matter of 
issuing a card with a certain number on it. All of our internal 
systems, and as I mentioned, there are over 75 of them, look to 
the number to identify a beneficiary, and all these systems 
need to be changed to recognize the new MBI, which will be 
different than the HICN, and to communicate with our external 
partners so that they know what these are, so there is a 
technology side to this that needs to precede the change in the 
number, so it would be wonderful if we could throw a switch 
today and begin filtering these out, but unfortunately, we have 
explored this and we do not think it works.
    The Chairman. Mr. Rotenberg, you have dealt with health 
care insurers that have dropped the use of the Social Security 
number as an identifier. You said in your opening statement 
that it is the single most important set of numbers that an 
individual has when it comes to being vulnerable to identity 
theft. Do you think this would be difficult for health care 
providers to adapt to?
    Mr. Rotenberg. Chairman Collins, in fairness, I have not 
managed a transition of the type that CMS is obviously facing, 
but my sense is that your intuition is correct. In other words, 
the advantage of the incremental implementation avoids many of 
the difficulties that transitions necessarily raise. I am 
actually concerned, as I know Mr. Cavanaugh must be, about an 
education process that asks people to distinguish between a 
trustworthy communication and one that is not. That is already 
an opening for a new form of identity theft, and my thinking 
would be, let us do everything possible to try to avoid that.
    Paradoxically, public education is actually an indicator 
that the system transition is probably not adequately managed, 
because a smooth system transition would be completely 
transparent to the end user. They would not be aware of the 
change, and I think your point, that the ideal moment at which 
to implement a new numbering scheme is with the issuance of a 
new card. That is the experience at the State level with the 
driver's license. That is the experience in universities with 
student IDs, and I think it is the experience at the State 
level with most of the private insurers. Take that moment when 
you have a new beneficiary and you are about to issue a card to 
issue the correct card that minimizes the privacy risk.
    The Chairman. Thank you.
    Senator Casey.
    Senator Casey. Thank you, Madam Chair. I appreciate this 
hearing and I want to thank the panel for being here today. I 
missed your testimony, but I will try, based upon your written 
testimony, to pose a few questions.
    Mr. Cavanaugh, I would start with you with regard to the 
two parts of your testimony, one that says that if you have a 
health insurance claims number compromise, that that individual 
will still get care, but also at the same time you are saying 
that right now, CMS cannot issue new numbers, so I am trying to 
get a sense of what that means for--in the real world of the 
beneficiary and the provider.
    For example, for the provider, if they are in the case of 
having--dealing with an individual, or dealing with a claim 
where the individual's number has been compromised, what does 
that mean for that individual in terms of them? Will that 
provider have claims withheld? I guess that is part one, and 
then on the beneficiary end of this, will you also see 
instances where the beneficiary is refused services?
    Mr. Cavanaugh. Thank you for the question, Senator. No, so, 
as the current--as the checklist works, the number when it is 
identified as compromised goes into the system and then we 
start running analytics to look for suspicious behavior on the 
use of that number. We do not block use of the number, 
importantly, so the beneficiary who is using it legitimately 
can continue doing so, and similarly, providers who are billing 
legitimate services can continue doing so.
    I know there has been some concern that the fraudulent user 
of that number could accumulate services in a way that 
disadvantages the beneficiary, for example, services that are 
subject to a cap. We have asked and are willing to investigate 
any circumstances. We have not seen any specific circumstances, 
but it is a potential.
    I want to assure you, the beneficiary continues to receive 
services while we conduct an investigation about the use of 
their number.
    Senator Casey. Is it your testimony that the provider would 
not be adversely impacted, as well, in this instance where you 
have a compromised number?
    Mr. Cavanaugh. That is correct. The legitimate provider 
would not be adversely impacted. What we would be looking for 
is providers who are using the number in a suspicious way which 
would trigger an investigation either by us or our law 
enforcement partners.
    Senator Casey. Because of the numbers here, and I open this 
to the panel, the numbers are extraordinary in terms of fraud 
and in terms of the instances of fraud and it being the number 
one consumer complaint, so in the real world of families and 
beneficiaries, does anyone on the panel have an opinion about 
ways to be proactive when it comes to the family--warning signs 
that they should look for, on the one hand, and also proactive 
steps in light of those warning signs? Does anyone have any 
thoughts about that? Ms. Balderston.
    Ms. Balderston. I could speak to that. Some of the outreach 
and education that we do is to address exactly what you just 
suggested, and it is to get people to pay attention to their 
Medicare statements, to what is going on with their Medicare 
account, and a lot of our efforts are spent trying to 
personalize that, that this is not just a government program, 
but it is their health insurance.
    I think one of the most important things that CMS has 
created is myMedicare.gov, which allows people to set up their 
own Medicare account. We talk a lot about that with seniors, 
with their caregivers and their families, and the importance of 
utilizing that website so that they can look and see what is 
going on all the time, real time, with a person's Medicare 
account, because now that Medicare statements are only issued 
quarterly, it can be quite some time before somebody might 
notice something is going on with their Medicare account, so 
the myMedicare.gov site can be really helpful in that.
    Having said that, coming from a very rural State like Maine 
and a very old State like Maine, there are a lot of people that 
do not have access to websites, and so much of our education 
has been focused on the new Baby Boomers that are aging into 
Medicare and families and caregivers of existing Medicare 
beneficiaries.
    Mr. Rotenberg. Senator Casey?
    Senator Casey. Yes.
    Mr. Rotenberg. If I could just add a word, I wanted to 
commend, by the way, Ms. Balderston and her group for the very 
important work that they are doing, because for families that 
do run into issues around identity theft, it is very important 
that someone is available to assist them, and I really do want 
to thank you for that work.
    I will also say, the best outcome is to prevent the 
incident from occurring, because once a family confronts the 
problem, it is a very difficult problem. Identity theft is 
unlike other types of crime. If someone breaks into your car 
and steals the camera because you have left it in the back 
seat, you will know it. The camera is gone and the window is 
broken.
    People who sit on stolen Social Security numbers and bank 
account numbers can wait weeks or months. There can be one 
theft. There can be multiple thefts. The FTC, the Department of 
Justice, will tell you this is a very difficult crime to solve, 
and the best thing to do is to prevent it from occurring.
    If I may say one other thing, as I said in my opening 
testimony, I have been working on this issue for many years. In 
the early years, we thought the problem could be largely solved 
by preventing the display of the Social Security number, so a 
lot has been done over the years to take the SSN off of 
identity documents, but in fairness, I have to tell you, today, 
that with data breaches and criminal hacking, the data bases 
themselves are vulnerable, which means that it is not enough to 
simply take the SSN off the identity document.
    If you are collecting the SSN in the administration of a 
system, you have to ensure that it is secure. You have to have 
that data encrypted, because if people get access to it, it 
will be misused. The best starting point is to take the SSN off 
the ID document, but the other thing we have learned is that if 
you collect the SSN, you have to protect it.
    Senator Casey. Thank you very much. Madam Chair, thank you.
    The Chairman. Thank you.
    Ms. Balderston, you described a scam that I had not heard 
of prior to reading your testimony, where seniors will get a 
call from someone saying that they are issuing a new Medicare 
card and then they manage to get the Social Security number, 
the financial information, date of birth, all of the 
information that could be used to commit a really serious 
financial fraud.
    I am a little concerned when I hear about the talk of an 
educational campaign that there is a new card coming that that 
will feed into the kind of fraud that you described so well in 
your testimony. Could you comment on that?
    Ms. Balderston. Thank you, Chairman, for bringing that up. 
I, too, have been worried about the same thing, and I think 
that by working together, all of us working together and 
sharing information with consumers about what is coming up and 
what is happening--and I think the value of the SMP programs 
are we are local programs in our own states. People know us. We 
work together with partners that are in communities throughout 
our states. In Maine, as I am sure you are aware, we work with 
the Area Agencies on Aging and people know and trust them.
    I think for Maine and many other states like Maine, that 
really is the secret to helping people understand, is to use 
the trusted sources that are already in place and work together 
with CMS and others as they roll out this campaign so that we, 
as the boots on the ground, as I described earlier, and a 
familiar face and voice in our various states, that we can help 
get that message out to people.
    The Chairman. Well, I think that is an excellent suggestion 
for Medicare to follow, and your presence really does make a 
difference, and the work of the Area Agencies on Aging is just 
tremendous in the State of Maine, I know from personal 
experience, so I think that is an excellent suggestion.
    I still worry about the opportunity for criminals to take 
advantage of that, which is why I so strongly believe that the 
first step should be the new enrollees and get them their card. 
Their first card should be the card without any Social Security 
number on it and then figure out how we go from there.
    Mr. Cantrell, I remember years ago holding hearings on 
Medicare fraud and we actually had a witness who said that he 
used to deal drugs, but that he could make a lot more money and 
it was a lot safer for him to be involved in Medicare fraud. 
Can you explain to us in a little more detail some of the 
Medicare identity theft cases that you have been dealing with? 
You had an astonishing number of the amount of recoveries you 
have been able to do, for which I salute you, and I think you 
said $27 billion was being lost in waste, fraud, and abuse.
    This area of medical identity theft is a little different 
from the kind of provider fraud that we have seen in the past 
or people pretending to be providers and billing Medicare. 
Could you talk to us about what you are seeing in the area of 
medical identity theft.
    Mr. Cantrell. Absolutely, Chairman Collins. We have seen 
identity theft as a common theme throughout many types of fraud 
schemes. In some cases, there are individuals who have no 
intention of providing any legitimate service to anyone, but 
with the identity of the Medicare patient and the provider, 
they can submit bills with the intent of stealing money from 
Medicare, so there are some who are just straight-out criminal 
networks creating ghost companies, billing for services that 
were never rendered.
    We have also seen, unfortunately, some legitimate 
providers, or providers who provide some level of service using 
identity theft as a means of perpetuating fraud to gain 
additional reimbursement for services that they either did not 
provide or for patients who they did not see. We have seen in 
some cases insider threats at physician offices or at medical 
facilities where identities have been stolen and either are 
used for--to further Medicare fraud, or in some cases we have 
seen that data being passed on and used to commit tax fraud, so 
our patients can become victims to other types of fraud as a 
result of the theft of this data, in many cases.
    It ranges from people who will knock on the door of a 
facility or a nursing home where lots of Medicare beneficiaries 
are present and talk them into the need for a free service or 
some care that they maybe do not need and get their identifying 
information and begin billing for it, to the straight-up, no 
one has ever contacted this individual, but they have traded 
this information on the street somehow, some way. In the worst 
cases, we see what we call patient recruiters who will even go 
out and offer payment for exchange of what they call the red, 
white, and blue, the Medicare card, and that number on it, 
which is the key to Medicare reimbursement.
    The Chairman. In some cases, you have actually seen a 
Medicare beneficiary sell the information or be paid for the 
information and actually be a co-conspirator in the fraud?
    Mr. Cantrell. That is correct, Chairman Collins.
    The Chairman. I always hate to think of any senior doing 
anything wrong----but I guess it does happen occasionally.
    Mr. Cantrell. Unfortunately, they can be susceptible to 
these types of bribes, if you will, especially if they are 
financially not secure and someone is offering them a couple 
hundred dollars for either--and they do not have to do anything 
else, or maybe they get a trip to an adult day care center and 
they get some level of service that is not necessary that they 
did not need that would not have been prescribed by a 
legitimate physician.
    The Chairman. Mr. Cavanaugh, I have read what is in many 
ways an excellent brochure that the U.S. Administration on 
Aging puts out. I think it is used by a lot of the Medicare 
Patrol volunteers to try to educate people, and I was struck, 
however, by the irony of the cover of this brochure, which 
otherwise has excellent information, because what is the cover 
but a beneficiary actually holding up the Medicare card showing 
the Social Security number on it. Does that trouble you?
    Mr. Cavanaugh. I noticed the same thing. I took some solace 
in the fact that this seems to be a dummy card, so this is 
not----
    The Chairman. It is true. It does say ``Joe Doe'' and it 
has zeroes, but still, are you not sending a bit of a mixed 
message here? After all, I think the Social Security 
Administration first advised the public to stop carrying Social 
Security cards and Medicare cards that displayed the Social 
Security number clear back in 1994 and started printing, ``Do 
Not Carry It With You'' on the cards in 2002. Medicare in this 
brochure also has, ``Don't carry your Medicare or Medicaid card 
with you unless you need it. Only take it to doctors' 
appointments, visits to a hospital or clinic, or trips to the 
pharmacy.'' Is it not sending a mixed message to say that 
inside and then on the outside have someone hold up the card?
    Mr. Cavanaugh. Just to be clear, this is not a CMS 
publication, but I do think the publication has some excellent 
advice. Yes. I think probably a better picture could have been 
used, but this is, I think, a production of the Senior Medicare 
Patrol who do outstanding work and we appreciate their 
partnership in Combating Medicare fraud.
    The Chairman. Actually, it is funded by the Department of 
Health and Human Services, and we are told that it was CMS that 
provided all the graphics.
    Mr. Cavanaugh. Then it is an unfortunate choice, I agree, 
but I just want to emphasize that the information in here is 
really solid. The work the Senior Medicare Patrol does is 
great, because I do think an educated and attentive beneficiary 
is the best first line of defense on identity theft.
    The Chairman. I certainly agree with you on the work done 
by the Senior Medicare Patrol. I think they do a fabulous job, 
and I also agree with you that the information inside the 
brochure and the examples that are given are excellent and very 
helpful, but it is ironic, at best, and really unfortunate that 
the graphic that CMS designed shows that card. It sort of 
contradicts the message inside.
    Mr. Cavanaugh. The good news is, thanks to the leadership 
of you and the Congress, we will in the future not have to 
worry about that. We will still discourage people from flashing 
their cards like that, but we will have the Social Security 
number off the cards.
    The Chairman. Good. Mr. Cantrell, you have looked at this 
issue. You are familiar with the GAO reports that go way, way 
back to 2004. I do not know whether you are involved in those 
earlier studies----
    Mr. Cantrell. No, Chairman.
    The Chairman [continuing]. or you are too young to have 
been involved in those earlier studies, but what is your 
assessment of the responsiveness of CMS to GAO's 
recommendations in 2004, 2012, 2013?
    Mr. Cantrell. Well, I certainly believe from an anti-fraud 
perspective, the earlier and the sooner we can get the Social 
Security number off a card, the better. It has definitely been 
used to commit fraud against the Medicare program over the 
years since I have been here. I started with HHS OIG in 1996. 
It continues to be used in Medicare fraud schemes, and now we 
have seen, as a result of some of these identity thieves, fraud 
in other areas outside of the Medicare program, so we are 
looking forward to the day when the Social Security number is 
no longer used on the Medicare cards.
    The Chairman. Thank you.
    Ms. Balderston, when you work with seniors in Maine, how do 
you try to get the message across? Do you speak to senior 
groups in the state? Do you work with the AARP as well as the 
Area Agencies on Aging to try to get the message across of, be 
careful with this card?
    Ms. Balderston. Thank you, Chairman Collins. The answer is 
yes, we do all of those things. We do presentations to senior 
groups, to retiree groups. We do outreach through newsletters, 
through the Area Agencies on Aging as well as other partners 
that we have, like the Maine Association of Retirees, and we do 
education with the Maine Residence Service Coordinators 
Association, whose membership are people that work in senior 
housing facilities. They are the gatekeepers protecting the 
people that live in those facilities.
    We have a broad partnership, both within Maine and, I 
think, around the country with our programs, to work with other 
organizations that work with seniors and people with 
disabilities in order to get the message out. In states like 
Maine that are so rural and so large, that is the only way that 
we can get our message out, is by working together with lots of 
other partners.
    We also in Maine and in about half of the other states, the 
SMP programs also partner with the State Health Insurance 
Assistance Programs, the SHIP programs, and in Maine, as we are 
coming upon the Medicare open enrollment period here in just--
ooh, next week--part of the counseling that the SHIP counselors 
do is also to provide our information. They provide them with 
advice on looking at their Medicare statements to make sure 
that Medicare is not paying for a service or supply that they 
did not receive. They are encouraged to use personal health 
journals to track what is going on with their health care so 
that when they get statements, they have something to check it 
against, and we really try to be proactive in getting people 
involved in paying attention to their health insurance and 
their health care. We also promote the preventive services 
under Medicare.
    The Chairman. A friend of mine who receives Medicare in 
Maine was telling me that one of the things that upsets him is 
the Social Security number, the Medicare number is on 
statements that he receives from his bank because he 
automatically pays his Medicare premiums from his bank, but 
they send him a notice confirming that the transfer has 
occurred, and then right on that notice is his Social Security 
number. Have you seen that as a problem?
    Ms. Balderston. I have not seen that. I was not aware that 
that was happening, but that sounds like something perhaps we 
need to work with the Bankers Association.
    The Chairman. I mention it to you because I happened to 
meet with the Bankers just this week in Maine, and as you may 
know, Maine has a wonderful program called Senior$afe, which is 
aimed at preventing the exploitation financially of our seniors 
and I think it is an excellent model for other states to 
follow, as well. Again, I want to thank you for the work that 
you do.
    I am curious about one final point for you, and that is how 
many of your 80 volunteers that you have are seniors 
themselves?
    Ms. Balderston. Most of them are. I would say probably a 
good 85 to 90 percent are seniors, and we have really good 
volunteers. These are--a lot of these people have been 
professionals in their working life. When we train volunteers, 
one of the questions that I often ask them when they first come 
to us is what brought you here. Of all the volunteer 
opportunities that are available to you in Maine, why would you 
come here? The answer is always the same, because they care 
about people.
    They have been in situations where they have tried to 
figure out their own Medicare or their Medicare for a loved one 
and it is a very, very complicated health insurance program, 
and so, these people come so that they can help their families 
and their neighbors and people that life in their areas so that 
it is not as complicated, not as confusing, and so that people 
do not become victims of crimes like we have been talking about 
here today.
    The Chairman. Thank you very much.
    I want to give each of our witnesses a chance for any final 
comment that you would like to make, any advice to us before I 
close out the hearing. Mr. Rotenberg.
    Mr. Rotenberg. Well, again, Chairman Collins, thank you so 
much for your work and leadership on this issue. This is one 
that affects millions of Americans and it is a great thing that 
you are holding this hearing.
    As I tried to suggest during my testimony, the misuse of 
the Social Security number is a long-running problem in this 
country. There is a lot more that still needs to be done. We 
need to make the record systems more secure. We need to protect 
against other forms of identity theft, but I think there is no 
question that the right starting point is to get the Social 
Security number off of identity documents, particularly in the 
medical sector. That is where the greatest risk of identity 
theft exists.
    The Chairman. Thank you.
    Ms. Balderston.
    Ms. Balderston. Thank you, Chairman Collins. My one closing 
remark would be the ongoing support of both Congress and a 
variety of Federal agencies for the work that we do, and 
hopefully, we can continue to work together to help fight these 
crimes and make all of our states a better and safer place for 
our seniors and our people with disabilities.
    The Chairman. Thank you.
    Mr. Cantrell.
    Mr. Cantrell. Yes. I will just say that, once again, thank 
you for having this hearing. It is an important issue to us. It 
does directly lead to fraud in the Medicare program and other 
areas. We are looking forward to the time when the Social 
Security number is no longer on the card. It will take all of 
us at the table and throughout the U.S. to continue to protect 
this information. As was mentioned earlier, these systems that 
contain the Social Security numbers, even if it is not on the 
card, there is a treasure trove of data that is available if it 
is not properly secured, so I encourage us to continue to look 
to ways to properly secure this data.
    The Chairman. Thank you.
    Mr. Cavanaugh.
    Mr. Cavanaugh. Thank you. Again, I want to thank your 
leadership, this Committee's leadership in getting us the 
funding so we can all get to where we agree that we need to be, 
which is to get the numbers off the card, but to echo Mr. 
Cantrell's remarks, this will be an important step in 
preventing fraud. It will not be the final step, and so, we 
look forward to working with you to make sure we have other 
ways to protect both the beneficiaries and the Trust Fund.
    The Chairman. Just think, if we could recapture or cut in 
half that $27 billion that is lost to waste, fraud, and abuse 
because the Social Security number makes us so vulnerable to 
that kind of fraud, what good things we could do with that 
money, including shoring up the Social Security Disability 
Insurance Trust Fund, which is going to go broke next year if 
we do not act. It would also be very reassuring to America's 
seniors, since they rank identity theft so high in their lists 
of concerns.
    I do appreciate your sincerity in recognizing the 
seriousness of this problem, but I would be remiss if I did not 
express the frustration of the 12 members of this Committee 
that have written to you with the slow pace, and I really urge 
you to look at an incremental approach, starting with new 
beneficiaries, where you would not have to swap out cards and 
there would not be the educational effort that you are 
concerned about, and there would not be the opening for the 
fraudsters who are going to call up the beneficiary and say, 
hey, we have got your new Medicare card and all we need is, 
which is what I fear is going to happen. We are going to have 
to have a really effective public outreach campaign to prevent 
more fraud from happening during that period, but surely, 
surely, you ought to be able to start by the beginning of next 
year, in my judgment, with the new beneficiaries that are 
coming in and giving them a new card---their first card--with 
an identifier that is not the Social Security number. I really 
hope that you will work toward that goal.
    Working together, I am convinced that we can solve this 
problem, but I do not want in the year 2019 to be calling CMS 
before this Committee and find out that we have done yet 
another study, or that we are having technical problems, or 
that we really have not made the progress that other 
departments have demonstrated can be made through a concerted 
effort.
    I want to thank all of you for being here today and for 
your testimony, and again to apologize that it turned out to be 
a day--this is the life in the U.S. Senate--where we could not 
control all of the competing votes and briefings that were 
going on.
    For that reason, I strongly suspect that many Committee 
members will be submitting additional questions to you for the 
record, and they will have until Friday, October 16th, to 
submit those questions for the record.
    I want to thank you for your cooperation today. Let us get 
this problem solved.
    This hearing is adjourned. Thank you.
    [Whereupon, at 3:38 p.m., the Committee was adjourned.]
    
=======================================================================


                                APPENDIX

=======================================================================


                      Prepared Witness Statements

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

=======================================================================


                        Questions for the Record

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                            [all]