My Social Security Number - How Secure Is It?

  1. Introduction
  2. Federal Government Use of Social Security Numbers
  3. State and Local Government Use of Social Security Numbers
  4. Business Use of Social Security Numbers
  5. Educational Use of Social Security Numbers
  6. Medicare Cards
  7. Can I Change My Social Security Number?
  8. The Social Security Death Master File
  9. Resources

1. Introduction

When Social Security numbers (SSN) were first issued in 1936, the federal government assured the public that their use would be limited to Social Security programs. The newly-created Social Security Board (which later became the Social Security Administration) created the 9-digit SSN to uniquely identify and determine Social Security benefit entitlement levels for workers. The Social Security Administration (SSA) creates and assigns unique SSNs for every eligible person as part of their work and retirement benefit record. 

Originally, the SSN was not intended to serve as a personal identifier outside of SSA’s programs but, due to its uniqueness, both government agencies and private sector entities now use the SSN as a way of identifying people.  The SSN has become the de facto national identifier.  Government agencies and private businesses use SSNs for a wide range of non-Social Security purposes, such as employee files, medical records, health insurance accounts, credit and banking accounts, and utility accounts.

SSNs are key pieces of personally identifiable information that potentially may be used to perpetrate identity theft. Identity thieves seek SSNs so they can assume the identity of another person and commit fraud. It’s relatively easy for someone to fraudulently use your SSN to assume your identity and gain access to your personal information. Identity thieves also can establish new credit and bank accounts in your name, or use your SSN for employment purposes or to obtain medical care. 

Therefore, it’s wise to limit access to your SSN whenever possible. Unfortunately, your SSN is often saved in numerous databases which may be subject to compromise by hacking or other means.  Data breaches involving the compromise of SSNs are a frequent occurrence.

2. Federal Government Use of Social Security Numbers

The federal government uses SSNs as unique identifiers for many purposes, including employment, taxation, benefits, and law enforcement.  The federal government may collect your SSN for many purposes including:

  • Filing your tax return
  • Filing for student financial assistance
  • Filing for housing assistance
  • Obtaining food stamps
  • Obtaining Medicaid assistance

The Privacy Act of 1974 requires all government agencies that request SSNs to provide a disclosure statement on the form. The statement explains whether you are required to provide your SSN or if it’s optional, how the SSN will be used, and under what statutory or other authority the number is requested. The U.S. Office of Management and Budget, Office of Information and Regulatory Affairs provides guidance and oversight regarding the Privacy Act.

The Privacy Act of 1974 states that you cannot be denied a government benefit or service if you refuse to disclose your SSN unless the disclosure is required by federal law, or the disclosure is to an agency that has been using SSNs before January 1975, when the Privacy Act went into effect. There are other exceptions as well.

If you are asked to give your SSN to a government agency and no disclosure statement is included on the form, you should complain to the agency and cite the Privacy Act of 1974. Unfortunately, there appear to be no penalties when a government agency fails to provide a disclosure statement.

The Social Security Number Fraud Prevention Act of 2017 (H.R. 624) will restrict the use of social security numbers on documents sent by mail by the Federal government, unless the head of a department or agency determines the inclusion of such a number is necessary.  The law does not take effect until September 15, 2022.

3. State and Local Government Use of Social Security Numbers

Some state and local government agencies, including tax authorities, welfare offices, and state Departments of Motor Vehicles, can require your SSN. Others may request the SSN, leading you to believe you must provide it.  Carefully read any government form requesting your SSN to see if you must provide it.

Under the Real ID Act of 2005, states must require proof of a person’s SSN (or verification that the person is not eligible for an SSN) when issuing a driver's license.  However, the Intelligence Reform and Terrorism Prevention Act of 2004 prohibits states from displaying your SSN on driver's license, state ID cards, or motor vehicle registrations.

Federal law authorizes states to collect your SSN for many additional purposes including:

  • Applying for public assistance
  • Issuing a birth certificate (parents' SSN)
  • To determine juror eligibility
  • Child support
  • Death records

The Privacy Act of 1974 requires that any state or local government agency that requests an SSN from an individual do three things:

  • tell individuals whether disclosing their SSNs is mandatory or voluntary
  • cite the statutory or other authority under which the request is being made
  • state what uses the government will make of the individual’s SSN.

4. Business Use of Social Security Numbers

SSNs are often used in the private sector as a means to authenticate the identity of individuals seeking financial or other transactions.  Except in those few situations where your SSN is required by federal law (see below), you are not legally compelled to provide your SSN to private businesses. There is no law, however, that prevents businesses from requesting your SSN, and there are few restrictions on what businesses can do with it. But even though you are not legally required to disclose your SSN, the business does not have to provide you with service if you refuse to release it. So in a sense, you are strong-armed into giving your SSN.  Here are some tips if a business requests your SSN:

  • If a business insists on knowing your SSN when you do not see a reason for it, we encourage you to speak to a manager who may be authorized to make an exception or who may know whether company policy requires it.
  • You can ask if there is an alternate number that you can provide to the company, such as your driver's license number. Also ask if you can provide a deposit rather than giving your SSN to the company.

Federal law requires private businesses to collect your SSN in certain situations.   A business must collect your SSN when (1) you are involved in a transaction in which the Internal Revenue Service requires notification, or (2) you are engaged in a financial transaction subject to federal Customer Identification Program rules.

SSNs are required on transactions in which the Internal Revenue Service (IRS) may be interested. That includes most banking, stock market and other investments, real estate purchases, many insurance documents, and other financial transactions as well as employment records.

Financial institutions are also required by federal law to participate in Customer Identification Programs (CIPs). Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account. The CIP Rule does not require financial institutions to report your dealings to the government. However, sections of the Bank Secrecy Act do require transactions over a certain dollar amount to be either reported to the Financial Crimes Enforcement Network (FinCEN), a branch of the U.S. Department of the Treasury, or documented by the bank. Reporting requirements may vary depending on the type of financial institution.

Medical insurance.  The company or government agency providing your medical insurance will ask you to provide your SSN.

  • MediCal and Medicare are government health plans and can require an SSN for enrollment.
  • Commercial insurance companies can ask for your SSN.  Beginning with the 2015 tax year, the Affordable Care Act requires every provider of minimum essential coverage to report that coverage. Your health insurance company will provide Form 1095-B to you and to the IRS. The law requires SSNs to be reported on Form 1095-B. 
  • If you are covered by group insurance through your employer, a Mandatory Insurer Reporting Law (Section 111 of Public Law 110-173) requires insurers to report SSNs to the Centers for Medicare and Medicaid Services for both subscribers and covered dependents.  This information is used to coordinate Medicare payments with other insurance benefits. However, there is no language in Section 111 itself that mandates collection or reporting of all SSNs to Medicare. Medicare requires only that insurers send the Medicare ID numbers of Medicare beneficiaries, and that they take appropriate steps to ensure that they tell Medicare about all the Medicare beneficiaries they also provide coverage for.
  • Individuals who receive ongoing reimbursement for medical care through no-fault insurance or workers’ compensation or who receive a settlement, judgment or award from liability insurance (including self-insurance), no-fault insurance, or workers’ compensation may also be asked to provide their SSN.

Credit applications. Credit card applications usually request SSNs. Your number is used primarily to verify your identity in situations where you have the same or a similar name to others. Most credit card issuers will insist on having your SSN. But in rare cases, you may be able to find a credit issuer who will provide you credit without knowing your SSN, especially if you are persistent and can provide other forms of identification.

State laws. In California, state law restricts how certain businesses can display their customers’ Social Security numbers. It does not restrict the collection of SSNs, however, and it doesn’t affect government agencies. California Civil Code §1798.85 prohibits, for example, insurance companies from printing the SSN on identification cards that are carried in the wallet. Similarly, customers of banks and investment companies cannot be required to transmit the SSN over the internet when conducting business online, unless the number is encrypted. SSNs cannot be printed on documents sent through the mail, with some exceptions.

In most states, your employer can use your SSN as an employee ID number. However, the Social Security Administration discourages employers from displaying SSNs on documents that are viewed by other people — such as badges, parking permits, or on lists distributed to employees. Employers do, however, need each employee’s SSN to report earnings and payroll taxes.  In California and New York, as explained above, employers cannot display the employee’s SSN in certain situations.

5. Educational Use of Social Security Numbers

Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act (FERPA) in order to retain their funding.  One of FERPA's provisions requires written consent for the release of “educational records” or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision.

FERPA applies to state colleges, universities, and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a violation of FERPA. However, some schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law.

Public schools, colleges, and universities fall within the provisions of the Privacy Act of 1974. This act requires schools to provide a disclosure statement telling students how the SSN is used. If you are required to provide your SSN, be sure to look for the school's disclosure statement.

When the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID.

The U.S. Department of Education and Department of Justice interpret the Privacy Act of 1974 as prohibiting a public school district from requiring a pupil or parent to provide an SSN or denying admittance because a pupil does not provide an SSN.

6. Medicare Cards

The Centers for Medicare & Medicaid Services (CMS) currently uses an SSN-based Health Insurance Claim Number (HICN) for Medicare transactions like billing, eligibility status, and claim status.  Your HICN is also printed on your Medicare card.  That means that if you lose your Medicare card, your SSN may be compromised.  This can lead to identity theft.  Likewise, any healthcare provider that you show your Medicare card to will know your SSN.

The Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 required that SSNs be removed from all Medicare cards by April 2019.  Medicare cards are now being issued with randomly generated Medicare Beneficiary Identifier numbers (MBIs), which replace the SSN on the new Medicare cards for all Medicare purposes.  The Centers for Medicare & Medicaid Services (CMS) started mailing the new Medicare cards with the new MBI to all people with Medicare in phases by geographic location.  CMS is mailing new cards to the address you have on file with the Social Security Administration.  When you get your new card, be sure to destroy your old card by shredding it.

Until you receive a new Medicare card that does not contain your SSN, it is important to carefully guard your card.  Here are some tips:

  •  Do not carry your Medicare card with you unless you are visiting a healthcare provider for the first time.
  •  Remember that a hospital emergency room cannot refuse to provide true emergency care just because a patient does not have insurance or Medicare.
  •  Carry a photocopy of the card in your wallet with the last 4 digits of the SSN deleted.
  •  Do not pay anyone or give out your personal information over the phone to obtain your new card. Your card will automatically arrive in the mail.  You do not need to do anything.

7.  Can I Change My Social Security Number?

The Social Security Administration (SSA) will issue a new number only in certain very extreme cases.  A new SSN may be issued if you can prove that someone has stolen your number and is using it illegally. You must provide evidence that the number is actually being misused, and that the misuse is causing you significant harm on an ongoing basis. If your card has been lost or your number has fallen into the wrong hands, that's not enough. Further, SSA will not give you a new SSN to aid in avoiding legal responsibility, or in hiding bad credit or a criminal record.

SSA may also assign a different number if:

  • Sequential numbers assigned to members of the same family are causing problems
  • More than one person is assigned or using the same number
  • There is a situation of harassment, abuse or life endangerment

To get a new Social Security number, you must visit an SSA office. 

8.  The Social Security Death Master File

SSA maintains a Death Master File (DMF).  The DMF contains records of deaths that have been reported to SSA from various sources, including family members, funeral homes, hospitals, and financial institutions. 

SSA does not guarantee the accuracy of the DMF. The absence of a particular person from the DMF is not proof that a person is alive. Some individuals listed in the DMF are in fact alive.

The DMF is used to prevent fraud to help prevent stealing the identity of a dead person. It is used by credit reporting agencies, as well as government, financial, investigative, medical research organizations to verify death and to prevent fraud.  Conversely, information from the DMF can be used by identity thieves to obtain tax refunds for deceased persons or to apply for credit cards or obtain cell phones.   

Erroneous death entries can lead to benefit termination and closing or freezing of bank accounts, causing financial hardship. They also result in the publication of living individuals' personal identifying information in the DMF.  While those who are declared dead generally lose their ability to apply for credit, they may be at risk for other types of identity theft now that their personally-identifying information has been made public.

If you find out that your name is on the DMF, visit your local Social Security Administration (SSA) office with identification.  After correcting their records, SSA will provide you with a "Erroneous Death Case - Third Party Contact" notice.  You can use this notice to show that your death report was in error.  

9. Resources