Insurance Company Mails Out Postcards With SSNs

It’s always nice when an insurance company mails your Social Security Number out on bare naked postcards for anyone to ogle, right?

Universal American Action Network, a subsidiary of Universal American Insurance, mailed out 80,000 such postcards to Medicare recipients around the country, WGAL of Pennsylvania reports.

The story gives the insurance company’s response to the epic failure:

UAM Action Network recently sent a mailer to approximately 80,000 Medicare Advantage plan members which mistakenly listed the member’s Medicare number on the postcard. The Medicare number was listed as part of the member’s mailing address and no indication was given as to its reference. We at the UAM Action Network sincerely apologize for this error, which was made by our mailing vendor without our knowledge. We have taken immediate steps to address the situation. The vendor has been fired. In addition, UAM Action Network will send a letter to those members who received the original mailer. The letter will notify them of the error and offer to provide the member with one year of free credit monitoring. Any member who received the mailer and has questions or concerns can contact us by calling 1-877-697-6228.

It’s nice that UAM is standing up and attempting to rectify the mistake, but frightening that something like this could ever happen in the first place.

80,000 Mailers Sent Out With Recipients’ Social Security Numbers In Plain View [WGAL (Pennsylvania)]
(Photo: frankieleon)
(Thanks, NORMLgirl!)

Comments

Edit Your Comment

  1. Saboth says:

    Heh, the default action for these guys is always “one year of credit monitoring”. Guess that’s fine, unless someone decides to steal your identity in 13 months.

    • neekap says:

      @Saboth: I was going to say the exact same thing. You’d think if someone were to maliciously intercept this information that they would wait and see what course of action is being taken and work around it, like waiting 13 months in this case.

    • PsiCop says:

      @Saboth: That’s why CT AG Blumenthal usually advocates for two years of credit monitoring, rather than 1, when these things happen in CT. (Such as in this recent debacle — in which not only personal financial data was lost, but so too was medical information on patients). I’m not sure why the 2 year barrier seems to be important … perhaps someone has run the numbers to show it, perhaps not … but the assumption is that once this kind of data has gone over two years old, it’s too aged to be useful.

    • SacraBos says:

      @Saboth: I have email addresses that have never ever existed – but have been submitted to “remove lists”. They get spam delivered to them every single day as that address is sold, bought, and abuse continuously.

      Why do people think SSN’s would be any different? They should be required to offer you credit monitoring for the rest of your life or pay all costs related to having your SSN changed.

      • MauriceCallidice says:

        @SacraBos: “I have email addresses that have never ever existed … They get spam delivered to them every single day as that address is sold, bought, and abuse continuously.”

        How does spam get “delivered” to a nonexistent address?

        How would you know?

  2. zarex42 says:

    It’s pretty dumb, but the primary problem isn’t that SSN’s are shared – it’s that something so easy to acquire as an SSN is used for anything requiring security. That really needs to stop.

    • Loias supports harsher punishments against corporations says:

      @zarex42: I agree. It’s such a contradiction that your SSN is supposed to be treated like the Arc of the Covenent and yet every company and their mother asks for part or all of your SSN. What it is: high confidential or a good idea for a personalized license plate?

  3. lehrdude says:

    Why would UAG give 80,000 SS numbers to a “Mailing Vendor” in the first place? Were they going to withhold Federal Income Tax on postage or something?

    • ColoradoShark says:

      @lehrdude: Yes, that was weasely of the insurance company to blame their mailing vendor. The mailing vendor can’t make that mistake if you don’t send them the info.

      Right in line with the typical “need to know” policy. If you don’t need to know, then you shouldn’t get the information.

      Right in line with the idea that it is easy to keep a secret you don’t know about.

    • darkhorse43 says:

      @lehrdude: That was my thought exactly.

    • Strangel76 says:

      @lehrdude: I have to agree with this. Why was it necessary to share this data with the mailer vendor? Seems like it shouldn’t have been. It’s convenient to blame the vendor, but if UAG doesn’t share the info (which wasn’t relevant to the print job), then this doesn’t happen. I hope they review their own policies, and don’t exclusively shove the blame to the vendor.

  4. GreatWhiteNorth says:

    Hang on a company that specialized in being a “Mailer” made this error!

    Isn’t knowing what is and isn’t acceptable part of the service a company like this is offering clients?

    Wow, talk about a business killing screw up.

    • scoosdad says:

      @GreatWhiteNorth: Not to defend what happened, but if UAG gave the mailer a mailing list that had a name and address with what may have appeared to be a random account number above the mail-to name, how are they supposed to know if the numbers were SSN’s or not?

      I get mailings from magazines I subscribe to all the time and my account number is part of the address on the mailing.

      I point the blame for this directly at UAG. As lehrdude says above, why would they have knowingly given the mailer the SSN’s as part of the mailing list in the first place? The firing of the mailer was, I think, just for show– they’re “taking it seriously”.

      • tripnman says:

        @scoosdad: Agreed. The problem started with UAG providing the mailer with the SSNs as part of the mailing database. This is a major data security error on their part. Assuming that there were multiple levels of approval by UAG before the mailing went out, the final approval to proceed was theirs. The mailer is being made a scapegoat.

  5. Thumbmaster says:

    Every time something like this happens, the offending company would offer a free one-year credit monitoring service. I bet there’s a huge spike in identity theft cases about 13 months after each incident.

  6. Blueskylaw says:

    One year of credit monitoring is only that, monitoring.

    Will they pay for the months of time, postage, telephone, lawyers and other expenses it can take to “fix” one’s credit because of this colossal blunder?

    • starrion says:

      @Blueskylaw:

      No. That is why there are flocks of lawyers circling the UAI HQ today. If people start getting ID thefted, then that is when the Class action Lawsuit starts.

      Of course if any of the 80,000 people get ID theft from a different origin, it will be up to UAI to prove it wasn’t them…..

  7. Veeber says:

    Watch out, the apology letter will probably have the SSN printed in the window too.

  8. Borax-Johnson says:

    Roosevelt is dead. Its the newer guys’ fault

  9. PLATTWORX says:

    “We at the UAM Action Network sincerely apologize for this error, which was made by our mailing vendor without our knowledge.”

    You did not monitor the content of your own mailings? You had no knowledge of what was being mailed and how it was being mailed? NICE ADMISSION!

    Also, saying to customers that “The vendor has been fired.” is horribly unprofessional to put in a letter. How about the marketing employess of UAM Action Network that were involved in hiring this vendor and working on the mailing? Have they also been dismissed as they should have been?

    I think more than a year of credit monitoring is in order here. Don’t you?

    • PsiCop says:

      @PLATTWORX: You’re right. I don’t buy that this project wasn’t proofed by UAM. Either it was and they let it go anyway, thus demonstrating incompetence; or they didn’t proof it at all, which is incompetence right off the bat. Either way, they cannot evade their complicity in this.

  10. Elcheecho says:

    how about perpetual credit monitoring?

  11. Optimistic Prime says:

    This is one of the problems with the medical industry as a whole. Many companies still use your SS# as an ID#. Think about it, just about every medical form you’ve ever filled out probably has your social on it.

    One other mailer to really worry about is specimen packaging. Often times the specimen goes into a clear mailer, paperwork and all. The problem is the minimum wage worker packaging it puts all your info facing out so anybody who touches that package can get names, addresses, social, phone, and D.O.B.. Once you give your information to anybody, it’s no longer secure.

    • SadSam says:

      @Optimistic Prime:

      And most people give their SS# when they fill out that form at the doctor’s office. You don’t need to hand over your SS# and I don’t, the only number they need is my insurance company member number.

      Just leave it blank and when they ask for it ask why they need it and be prepared to point out that they don’t need it.

  12. stlbud says:

    Why was UAM giving Social Security numbers to their bulk mailing vendor?

    I appreciate their efforts to fix this but it shouldn’t have happened in the first place.

    Bill B.

  13. Megladon says:

    @hotdogsunrise:

    Like my dentist… I told them, i’m paying you with a check, you know where I live, having my ssn wont help you if the above fails. I told them i wasnt giving them my ssn or signing the manditory arbitration. They still saw me, check cleared, all is good.

  14. PsiCop says:

    @DoctorMD: The problem is FDR died in 1945 and obviously could do nothing to prevent it being used that way, after then.

  15. tripnman says:

    @floraposte: Yes, you’d be surprised how often that happens. My company mails 100′s of thousands of pieces a month for our clients and we have very strict data handling procedures in-house (who can see the data, how quickly it is deleted from our systems after job completion, etc.). It’s our clients that cause the problem by sending us database files that include SSNs, account numbers, balances, phone numbers, e-mail addresses, membership expiration dates, so on. It never fails – people, please – if you are sending out a simplified mailing provide your mailer with ONLY the data they need – name and full address.