The impoverished face enough challenges without the government adding identity theft to their woes. But officials at Maryland's Department of Human Resources are dealing with just that prospect after recently learning that an employee caused nearly 3,000 names with corresponding Social Security numbers to be placed on an Internet site.
That the DHR even learned that such a breach of protocol took place was only due to the efforts of the nonprofit Liberty Coalition, which works to maintain online privacy. When advocates spotted the personal data, they notified the state agency, which quickly had the information deleted from what turned out to be an employee's personal website.
Why did this unnamed employee load personal data from a two-year-old internal report reviewing eligibility for such benefits as Medicaid and food stamps to a website? That's not yet clear, but the agency's inspector general — along with the state attorney general's office — is investigating the case and the worker was dismissed Friday.
The risk posed by the incident is that the information will be used to steal identities of these current and former DHR beneficiaries, running up bills on credit cards, for example. The information was left on the website for about 2 1/2 months, from late April until last week — but so far, there have been no reports that it was misused.
To their credit, DHR officials have taken the matter seriously and acted promptly. Those on the list have already been notified of the incident by mail and given the opportunity to contact the agency on an 800-number created just for this purpose. They are eligible for up to one year of free credit monitoring, a safeguard that could wind up costing taxpayers as much as $136,000.
Certainly, the circumstances appear to be uncommon. Officials say this has never before happened to DHR data and that the agency follows IT security procedures that are the standard in both the public and private sectors. The department serves 738,000 clients, and its computers manage more than 3 million transactions per day. That includes everything from processing temporary assistance requests to child support payments.
But what the incident should raise questions about is the danger of tracking welfare recipients by Social Security number. The DHR has no choice in the matter, as the federal government requires their use, but the risk this practice poses is obvious.
Motor vehicle agencies don't track driver's licenses by Social Security number. Health insurers don't either. Financial institutions like banks and brokerages create unique identifies for clients as well. Clearly, if those organizations can deter fraud without using Social Security numbers to identify people, welfare agencies can, too.
Poor people may not have as many financial assets to lose as other Americans, but that doesn't mean they should be treated cheaply. This particular incident may have been caused by a rogue employee, but such sensitive information need not be put at risk to begin with.