boston.com your connection to The Boston Globe
Beta
Today's Globe    Local    Opinion    Magazine    Education    NECN    Special reports    Obituaries   
Traffic  |  Weather  |  Mobile

Exposed: ID theft vulnerability rises when data posted to 'Net

By David Gram, Associated Press Writer  |  January 14, 2007

SHELBURNE, Vt. --"Physician, Google thyself."

That 21st century spin on a biblical admonition is Dr. Linda Vieth Rosenblad's advice for her fellow health care providers.

It comes after a state contractor posted to the Internet the Social Security numbers of more than 1,100 doctors, psychotherapists and other health professionals.

"An old friend, somebody I hadn't seen in some time, Googled my name to see what I was up to," said Rosenblad, a Shelburne psychologist, who alerted state officials to the problem last month.

Up popped her name and Social Security number, on a list with those of other professionals who had submitted bills for treating state employees. The friend called to let her know. "I was alarmed," she said.

Social Security numbers are considered gold for identity thieves, and officials from three state agencies spent much of last month scrambling to fix the problem.

Rosenblad said she thinks others should do a Google search of the Internet for their own names to ensure that they don't turn up with their own personal information exposed.

The list was included in a state request for bids from companies that might want to take over administering health claims for 22,000 state employees, retirees and dependents. It was stricken from the Internet early last month.

Such exposures of personal information have become legion around the country. Many exposures have involved hacking or thefts of laptop computers containing the information.

The California-based Privacy Rights Clearinghouse keeps a chronology of such exposures on its Web site, and estimates that 100 million records containing sensitive personal information have been disseminated improperly in 2005, 2006 and the first days of 2007 alone.

In many instances, government agencies have made Social Security numbers available in online postings of real estate transactions, state regulatory filings and other records -- a situation Vermont's and other legislatures around the country have moved to address.

Vermont's law took effect July 1. Under it, according to the attorney general's Web site, "Social Security numbers are supposed to be redacted from documents that are posted or displayed in places of general public circulation."

Congress may step in with a federal law as well, said Sen. Patrick Leahy, D-Vt., chairman of the Senate Judiciary Committee. He's backing legislation that would bar federal, state and local agencies from including Social Security numbers in public records, among other measures.

"Social Security numbers can be the entry point to some of our most sensitive personal information," Leahy said. "When they aren't protected, privacy is lost, and identities can be stolen."

Marc Rotenburg, executive director of the Washington-based Electronic Privacy Information Center, said there are myriad ways identity thieves can make use of Social Security numbers.

In one example, he said many businesses, including cellular phone companies, use the last four digits of a customer's Social Security number as a password for account access. Someone with that information can track a person's cell phone calls. "That's a favorite trick of private investigators," he said.

Vermont Human Resources Commissioner Linda McIntire said that after learning of the security problem, state officials tried to figure out whose Social Security numbers had been exposed. They then sent letters to those people alerting them to the problem, set up a toll-free number for people to call with questions, arranged for free credit checks for those people and took other steps.

Rosenblad said she was still not satisfied, which is why she decided to step forward and contact the Associated Press. She charged that state officials had minimized the risks to those whose information was exposed, and minimized their own responsibility.

McIntire said in an interview that, on finding out about the problem, the state took all the steps it could. "We're responsible. It was posted to our Web site," she said. Rosenblad wrote to McIntire and Gov. Jim Douglas to say she was "appalled" at the state's response.

She said she was particularly troubled by the state's public statements in December that the list with Social Security numbers was available on a state Web site "that announces bid opportunities beginning on May 12, 2006, until it was removed on or about June 19, 2006."

She called that statement "false and misleading," saying the link from the state's Web site to the list was taken down in June, but not the list itself. As proof she offered her friend's discovery in early December.

"As health care practitioners, we are often 'Googled' by potential clients seeking information about our practices," she wrote to Douglas and McIntire. "Anyone who has 'Googled' my name between May 12 and December 6 of 2006 and read through the results has seen my Social Security number listed next to my name."

Rutland psychiatrist Dr. David McKay said Rosenblad, a friend, alerted him to the problem, and that a search of his own name on Dec. 3 produced his Social Security number as well.

He wrote that the state's Dec. 7 letter alerting providers of the problem "indicated that only bidders entering the site for business purposes would gain access to the information in question. This needs direct clarification."

No one whose number was exposed has reported actually being targeted by identity thieves, McIntire said. But Rosenblad said that's why accurate information about the timing of exposure matters. People need to know if their information has been off the Internet since June or since December.

"I just think it makes sense for anybody who was exposed to have accurate information to make good judgments about how to manage their risk," she said in an interview.

McIntire said she had tried to "strike a delicate balance" between alerting providers and the public about the problem without providing a "road map" for identity thieves showing where they might find the information.

Rosenblad said she didn't find that reasoning very satisfying, either. In her conversations with fellow health professionals about the issue, "One person said you don't need a road map when they've paved a superhighway to the information."

--------------------

On the Net:

Electronic Privacy Information Center: http://www.epic.org

Privacy Rights Clearinghouse: http://www.privacyrights.org

© Copyright 2007 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
SEARCH THE ARCHIVES
feedback form | help | site index | globe archives | rss
© The New York Times Company